"Fossies" - the Fresh Open Source Software Archive

Member "sssd-2.2.3/src/man/include/ad_modified_defaults.xml" (30 Nov 2019, 3504 Bytes) of package /linux/misc/sssd-2.2.3.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) XML source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the last Fossies "Diffs" side-by-side code changes report for "ad_modified_defaults.xml": 2.0.0_vs_2.1.0.

    1 <refsect1 id='modified-default-options'>
    2     <title>MODIFIED DEFAULT OPTIONS</title>
    3     <para>
    4         Certain option defaults do not match their respective backend
    5         provider defaults, these option names and AD provider-specific
    6         defaults are listed below:
    7     </para>
    8     <refsect2 id='krb5_modifications'>
    9         <title>KRB5 Provider</title>
   10         <itemizedlist>
   11             <listitem>
   12                 <para>
   13                     krb5_validate = true
   14                 </para>
   15             </listitem>
   16             <listitem>
   17                 <para>
   18                     krb5_use_enterprise_principal = true
   19                 </para>
   20             </listitem>
   21         </itemizedlist>
   22     </refsect2>
   23     <refsect2 id='ldap_modifications'>
   24         <title>LDAP Provider</title>
   25         <itemizedlist>
   26             <listitem>
   27                 <para>
   28                     ldap_schema = ad
   29                 </para>
   30             </listitem>
   31             <listitem>
   32                 <para>
   33                     ldap_force_upper_case_realm = true
   34                 </para>
   35             </listitem>
   36             <listitem>
   37                 <para>
   38                     ldap_id_mapping = true
   39                 </para>
   40             </listitem>
   41             <listitem>
   42                 <para>
   43                     ldap_sasl_mech = gssapi
   44                 </para>
   45             </listitem>
   46             <listitem>
   47                 <para>
   48                     ldap_referrals = false
   49                 </para>
   50             </listitem>
   51             <listitem>
   52                 <para>
   53                     ldap_account_expire_policy = ad
   54                 </para>
   55             </listitem>
   56             <listitem>
   57                 <para>
   58                     ldap_use_tokengroups = true
   59                 </para>
   60             </listitem>
   61             <listitem>
   62                 <para>
   63                     ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM)
   64                 </para>
   65                 <para>
   66                     The AD provider looks for a different principal than the
   67                     LDAP provider by default, because in an Active Directory
   68                     environment the principals are divided into two groups
   69                     - User Principals and Service Principals. Only User
   70                     Principal can be used to obtain a TGT and by default,
   71                     computer object's principal is constructed from
   72                     its sAMAccountName and the AD realm. The well-known
   73                     host/hostname@REALM principal is a Service Principal
   74                     and thus cannot be used to get a TGT with.
   75                 </para>
   76             </listitem>
   77         </itemizedlist>
   78     </refsect2>
   79     <refsect2 id='nss_modifications'>
   80         <title>NSS configuration</title>
   81         <itemizedlist>
   82             <listitem>
   83                 <para>
   84                     fallback_homedir = /home/%d/%u
   85                 </para>
   86                 <para>
   87                     The AD provider automatically sets
   88                     "fallback_homedir = /home/%d/%u" to provide personal
   89                     home directories for users without the homeDirectory
   90                     attribute. If your AD Domain is properly
   91                     populated with Posix attributes, and you want to avoid
   92                     this fallback behavior, you can explicitly
   93                     set "fallback_homedir = %o".
   94                 </para>
   95             </listitem>
   96         </itemizedlist>
   97     </refsect2>
   98 </refsect1>