From 731f098767ce352722dc4d4525c6a520cc5b5dab Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Wed, 27 Jun 2018 09:59:42 +0200 Subject: [PATCH] MAN: Document the options available for AD trusted domains Related: https://pagure.io/SSSD/sssd/issue/3291 Reviewed-by: Sumit Bose (cherry picked from commit 014e7d8ab6aa4cf3051764052326258230c0bc86) --- src/man/sssd-ipa.5.xml | 92 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 92 insertions(+) diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml index e4e58afaf6616f759ef82c77e339bdc738939dbe..e46957d5f742bafc11774992afe08d32443d061f 100644 --- a/src/man/sssd-ipa.5.xml +++ b/src/man/sssd-ipa.5.xml @@ -728,6 +728,98 @@ + + TRUSTED DOMAINS CONFIGURATION + + Some configuration options can be also set for a trusted domain. + A trusted domain configuration can either be done using + a subsection, for example: + +[domain/ipa.domain.com/ad.domain.com] +ad_server = dc.ad.domain.com + + + + In addition, some options can be set in the parent domain + and inherited by the trusted domain using the + subdomain_inherit option. For more details, + see the + + sssd.conf + 5 + manual page. + + + Different configuration options are tunable for a trusted + domain depending on whether you are configuring SSSD on an + IPA server or an IPA client. + + + OPTIONS TUNABLE ON IPA MASTERS + + The following options can be set in a subdomain + section on an IPA master: + + + ad_server + + + ad_backup_server + + + ad_site + + + ldap_search_base + + + ldap_user_search_base + + + ldap_group_search_base + + + use_fully_qualified_names + + + + + + OPTIONS TUNABLE ON IPA CLIENTS + + The following options can be set in a subdomain + section on an IPA client: + + + ad_server + + + ad_site + + + + + Note that if both options are set, only + ad_server is evaluated. + + + Since any request for a user or a group identity from a + trusted domain triggered from an IPA client is resolved + by the IPA server, the ad_server and + ad_site options only affect which AD DC will + the authentication be performed against. In particular, + the addresses resolved from these lists will be written to + kdcinfo files read by the Kerberos locator + plugin. Please refer to the + + sssd_krb5_locator_plugin + 8 + manual page for more details on the Kerberos + locator plugin. + + + + -- 2.17.1