|
 |
ca1eb8 |
From 731f098767ce352722dc4d4525c6a520cc5b5dab Mon Sep 17 00:00:00 2001
|
|
|
ca1eb8 |
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
ca1eb8 |
Date: Wed, 27 Jun 2018 09:59:42 +0200
|
|
|
ca1eb8 |
Subject: [PATCH] MAN: Document the options available for AD trusted domains
|
|
|
ca1eb8 |
|
|
|
ca1eb8 |
Related:
|
|
|
ca1eb8 |
https://pagure.io/SSSD/sssd/issue/3291
|
|
|
ca1eb8 |
|
|
|
ca1eb8 |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
ca1eb8 |
(cherry picked from commit 014e7d8ab6aa4cf3051764052326258230c0bc86)
|
|
|
ca1eb8 |
---
|
|
|
ca1eb8 |
src/man/sssd-ipa.5.xml | 92 ++++++++++++++++++++++++++++++++++++++++++
|
|
|
ca1eb8 |
1 file changed, 92 insertions(+)
|
|
|
ca1eb8 |
|
|
|
ca1eb8 |
diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml
|
|
|
ca1eb8 |
index e4e58afaf6616f759ef82c77e339bdc738939dbe..e46957d5f742bafc11774992afe08d32443d061f 100644
|
|
|
ca1eb8 |
--- a/src/man/sssd-ipa.5.xml
|
|
|
ca1eb8 |
+++ b/src/man/sssd-ipa.5.xml
|
|
|
ca1eb8 |
@@ -728,6 +728,98 @@
|
|
|
ca1eb8 |
</para>
|
|
|
ca1eb8 |
</refsect1>
|
|
|
ca1eb8 |
|
|
|
ca1eb8 |
+ <refsect1 id='trusted_domains'>
|
|
|
ca1eb8 |
+ <title>TRUSTED DOMAINS CONFIGURATION</title>
|
|
|
ca1eb8 |
+ <para>
|
|
|
ca1eb8 |
+ Some configuration options can be also set for a trusted domain.
|
|
|
ca1eb8 |
+ A trusted domain configuration can either be done using
|
|
|
ca1eb8 |
+ a subsection, for example:
|
|
|
ca1eb8 |
+<programlisting>
|
|
|
ca1eb8 |
+[domain/ipa.domain.com/ad.domain.com]
|
|
|
ca1eb8 |
+ad_server = dc.ad.domain.com
|
|
|
ca1eb8 |
+</programlisting>
|
|
|
ca1eb8 |
+ </para>
|
|
|
ca1eb8 |
+ <para>
|
|
|
ca1eb8 |
+ In addition, some options can be set in the parent domain
|
|
|
ca1eb8 |
+ and inherited by the trusted domain using the
|
|
|
ca1eb8 |
+ <quote>subdomain_inherit</quote> option. For more details,
|
|
|
ca1eb8 |
+ see the
|
|
|
ca1eb8 |
+ <citerefentry>
|
|
|
ca1eb8 |
+ <refentrytitle>sssd.conf</refentrytitle>
|
|
|
ca1eb8 |
+ <manvolnum>5</manvolnum>
|
|
|
ca1eb8 |
+ </citerefentry> manual page.
|
|
|
ca1eb8 |
+ </para>
|
|
|
ca1eb8 |
+ <para>
|
|
|
ca1eb8 |
+ Different configuration options are tunable for a trusted
|
|
|
ca1eb8 |
+ domain depending on whether you are configuring SSSD on an
|
|
|
ca1eb8 |
+ IPA server or an IPA client.
|
|
|
ca1eb8 |
+ </para>
|
|
|
ca1eb8 |
+ <refsect2 id='server_configuration'>
|
|
|
ca1eb8 |
+ <title>OPTIONS TUNABLE ON IPA MASTERS</title>
|
|
|
ca1eb8 |
+ <para>
|
|
|
ca1eb8 |
+ The following options can be set in a subdomain
|
|
|
ca1eb8 |
+ section on an IPA master:
|
|
|
ca1eb8 |
+ <itemizedlist>
|
|
|
ca1eb8 |
+ <listitem>
|
|
|
ca1eb8 |
+ <para>ad_server</para>
|
|
|
ca1eb8 |
+ </listitem>
|
|
|
ca1eb8 |
+ <listitem>
|
|
|
ca1eb8 |
+ <para>ad_backup_server</para>
|
|
|
ca1eb8 |
+ </listitem>
|
|
|
ca1eb8 |
+ <listitem>
|
|
|
ca1eb8 |
+ <para>ad_site</para>
|
|
|
ca1eb8 |
+ </listitem>
|
|
|
ca1eb8 |
+ <listitem>
|
|
|
ca1eb8 |
+ <para>ldap_search_base</para>
|
|
|
ca1eb8 |
+ </listitem>
|
|
|
ca1eb8 |
+ <listitem>
|
|
|
ca1eb8 |
+ <para>ldap_user_search_base</para>
|
|
|
ca1eb8 |
+ </listitem>
|
|
|
ca1eb8 |
+ <listitem>
|
|
|
ca1eb8 |
+ <para>ldap_group_search_base</para>
|
|
|
ca1eb8 |
+ </listitem>
|
|
|
ca1eb8 |
+ <listitem>
|
|
|
ca1eb8 |
+ <para>use_fully_qualified_names</para>
|
|
|
ca1eb8 |
+ </listitem>
|
|
|
ca1eb8 |
+ </itemizedlist>
|
|
|
ca1eb8 |
+ </para>
|
|
|
ca1eb8 |
+ </refsect2>
|
|
|
ca1eb8 |
+ <refsect2 id='client_configuration'>
|
|
|
ca1eb8 |
+ <title>OPTIONS TUNABLE ON IPA CLIENTS</title>
|
|
|
ca1eb8 |
+ <para>
|
|
|
ca1eb8 |
+ The following options can be set in a subdomain
|
|
|
ca1eb8 |
+ section on an IPA client:
|
|
|
ca1eb8 |
+ <itemizedlist>
|
|
|
ca1eb8 |
+ <listitem>
|
|
|
ca1eb8 |
+ <para>ad_server</para>
|
|
|
ca1eb8 |
+ </listitem>
|
|
|
ca1eb8 |
+ <listitem>
|
|
|
ca1eb8 |
+ <para>ad_site</para>
|
|
|
ca1eb8 |
+ </listitem>
|
|
|
ca1eb8 |
+ </itemizedlist>
|
|
|
ca1eb8 |
+ </para>
|
|
|
ca1eb8 |
+ <para>
|
|
|
ca1eb8 |
+ Note that if both options are set, only
|
|
|
ca1eb8 |
+ <quote>ad_server</quote> is evaluated.
|
|
|
ca1eb8 |
+ </para>
|
|
|
ca1eb8 |
+ <para>
|
|
|
ca1eb8 |
+ Since any request for a user or a group identity from a
|
|
|
ca1eb8 |
+ trusted domain triggered from an IPA client is resolved
|
|
|
ca1eb8 |
+ by the IPA server, the <quote>ad_server</quote> and
|
|
|
ca1eb8 |
+ <quote>ad_site</quote> options only affect which AD DC will
|
|
|
ca1eb8 |
+ the authentication be performed against. In particular,
|
|
|
ca1eb8 |
+ the addresses resolved from these lists will be written to
|
|
|
ca1eb8 |
+ <quote>kdcinfo</quote> files read by the Kerberos locator
|
|
|
ca1eb8 |
+ plugin. Please refer to the
|
|
|
ca1eb8 |
+ <citerefentry>
|
|
|
ca1eb8 |
+ <refentrytitle>sssd_krb5_locator_plugin</refentrytitle>
|
|
|
ca1eb8 |
+ <manvolnum>8</manvolnum>
|
|
|
ca1eb8 |
+ </citerefentry> manual page for more details on the Kerberos
|
|
|
ca1eb8 |
+ locator plugin.
|
|
|
ca1eb8 |
+ </para>
|
|
|
ca1eb8 |
+ </refsect2>
|
|
|
ca1eb8 |
+ </refsect1>
|
|
|
ca1eb8 |
+
|
|
|
ca1eb8 |
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/failover.xml" />
|
|
|
ca1eb8 |
|
|
|
ca1eb8 |
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/service_discovery.xml" />
|
|
|
ca1eb8 |
--
|
|
|
ca1eb8 |
2.17.1
|
|
|
ca1eb8 |
|