Table of Contents
This manual page describes the mapping attributes of SSSD LDAP provider sssd-ldap(5). Refer to the sssd-ldap(5) manual page for full details about SSSD LDAP provider configuration options.
The object class of a user entry in LDAP.
Default: posixAccount
The LDAP attribute that corresponds to the user's login name.
Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)
The LDAP attribute that corresponds to the user's id.
Default: uidNumber
The LDAP attribute that corresponds to the user's primary group id.
Default: gidNumber
Active Directory primary group attribute for ID-mapping. Note that this attribute should only be set manually if you are running the “ldap” provider with ID mapping.
Default: unset (LDAP), primaryGroupID (AD)
The LDAP attribute that corresponds to the user's gecos field.
Default: gecos
The LDAP attribute that contains the name of the user's home directory.
Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD)
The LDAP attribute that contains the path to the user's default shell.
Default: loginShell
The LDAP attribute that contains the UUID/GUID of an LDAP user object.
Default: not set in the general case, objectGUID for AD and ipaUniqueID for IPA
The LDAP attribute that contains the objectSID of an LDAP user object. This is usually only necessary for ActiveDirectory servers.
Default: objectSid for ActiveDirectory, not set for other servers.
The LDAP attribute that contains timestamp of the last modification of the parent object.
Default: modifyTimestamp
When using ldap_pwd_policy=shadow, this parameter contains the name of an LDAP attribute corresponding to its shadow(5) counterpart (date of the last password change).
Default: shadowLastChange
When using ldap_pwd_policy=shadow, this parameter contains the name of an LDAP attribute corresponding to its shadow(5) counterpart (minimum password age).
Default: shadowMin
When using ldap_pwd_policy=shadow, this parameter contains the name of an LDAP attribute corresponding to its shadow(5) counterpart (maximum password age).
Default: shadowMax
When using ldap_pwd_policy=shadow, this parameter contains the name of an LDAP attribute corresponding to its shadow(5) counterpart (password warning period).
Default: shadowWarning
When using ldap_pwd_policy=shadow, this parameter contains the name of an LDAP attribute corresponding to its shadow(5) counterpart (password inactivity period).
Default: shadowInactive
When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this parameter contains the name of an LDAP attribute corresponding to its shadow(5) counterpart (account expiration date).
Default: shadowExpire
When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of an LDAP attribute storing the date and time of last password change in kerberos.
Default: krbLastPwdChange
When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of an LDAP attribute storing the date and time when current password expires.
Default: krbPasswordExpiration
When using ldap_account_expire_policy=ad, this parameter contains the name of an LDAP attribute storing the expiration time of the account.
Default: accountExpires
When using ldap_account_expire_policy=ad, this parameter contains the name of an LDAP attribute storing the user account control bit field.
Default: userAccountControl
When using ldap_account_expire_policy=rhds or equivalent, this parameter determines if access is allowed or not.
Default: nsAccountLock
When using ldap_account_expire_policy=nds, this attribute determines if access is allowed or not.
Default: loginDisabled
When using ldap_account_expire_policy=nds, this attribute determines until which date access is granted.
Default: loginDisabled
When using ldap_account_expire_policy=nds, this attribute determines the hours of a day in a week when access is granted.
Default: loginAllowedTimeMap
The LDAP attribute that contains the user's Kerberos User Principal Name (UPN).
Default: krbPrincipalName
Comma-separated list of LDAP attributes that SSSD would fetch along with the usual set of user attributes.
The list can either contain LDAP attribute names only, or colon-separated tuples of SSSD cache attribute name and LDAP attribute name. In case only LDAP attribute name is specified, the attribute is saved to the cache verbatim. Using a custom SSSD attribute name might be required by environments that configure several SSSD domains with different LDAP schemas.
Please note that several attribute names are reserved by SSSD, notably the “name” attribute. SSSD would report an error if any of the reserved attribute names is used as an extra attribute name.
Examples:
ldap_user_extra_attrs = telephoneNumber
Save the “telephoneNumber” attribute from LDAP as “telephoneNumber” to the cache.
ldap_user_extra_attrs = phone:telephoneNumber
Save the “telephoneNumber” attribute from LDAP as “phone” to the cache.
Default: not set
The LDAP attribute that contains the user's SSH public keys.
Default: sshPublicKey
The LDAP attribute that corresponds to the user's full name.
Default: cn
The LDAP attribute that lists the user's group memberships.
Default: memberOf
If access_provider=ldap and ldap_access_order=authorized_service, SSSD will use the presence of the authorizedService attribute in the user's LDAP entry to determine access privilege.
An explicit deny (!svc) is resolved first. Second, SSSD searches for explicit allow (svc) and finally for allow_all (*).
Please note that the ldap_access_order configuration option must include “authorized_service” in order for the ldap_user_authorized_service option to work.
Some distributions (such as Fedora-29+ or RHEL-8) always include the “systemd-user” PAM service as part of the login process. Therefore when using service-based access control, the “systemd-user” service might need to be added to the list of allowed services.
Default: authorizedService
If access_provider=ldap and ldap_access_order=host, SSSD will use the presence of the host attribute in the user's LDAP entry to determine access privilege.
An explicit deny (!host) is resolved first. Second, SSSD searches for explicit allow (host) and finally for allow_all (*).
Please note that the ldap_access_order configuration option must include “host” in order for the ldap_user_authorized_host option to work.
Default: host
If access_provider=ldap and ldap_access_order=rhost, SSSD will use the presence of the rhost attribute in the user's LDAP entry to determine access privilege. Similarly to host verification process.
An explicit deny (!rhost) is resolved first. Second, SSSD searches for explicit allow (rhost) and finally for allow_all (*).
Please note that the ldap_access_order configuration option must include “rhost” in order for the ldap_user_authorized_rhost option to work.
Default: rhost
Name of the LDAP attribute containing the X509 certificate of the user.
Default: userCertificate;binary
Name of the LDAP attribute containing the email address of the user.
Note: If an email address of a user conflicts with an email address or fully qualified name of another user, then SSSD will not be able to serve those users properly. If for some reason several users need to share the same email address then set this option to a nonexistent attribute name in order to disable user lookup/login by email.
Default: mail
The object class of a group entry in LDAP.
Default: posixGroup
The LDAP attribute that corresponds to the group name.
Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)
The LDAP attribute that corresponds to the group's id.
Default: gidNumber
The LDAP attribute that contains the names of the group's members.
Default: memberuid (rfc2307) / member (rfc2307bis)
The LDAP attribute that contains the UUID/GUID of an LDAP group object.
Default: not set in the general case, objectGUID for AD and ipaUniqueID for IPA
The LDAP attribute that contains the objectSID of an LDAP group object. This is usually only necessary for ActiveDirectory servers.
Default: objectSid for ActiveDirectory, not set for other servers.
The LDAP attribute that contains timestamp of the last modification of the parent object.
Default: modifyTimestamp
The LDAP attribute that contains an integer value indicating the type of the group and maybe other flags.
This attribute is currently only used by the AD provider to determine if a group is a domain local groups and has to be filtered out for trusted domains.
Default: groupType in the AD provider, otherwise not set
The LDAP attribute that references group members that are defined in an external domain. At the moment, only IPA's external members are supported.
Default: ipaExternalMember in the IPA provider, otherwise unset.
The object class of a netgroup entry in LDAP.
In IPA provider, ipa_netgroup_object_class should be used instead.
Default: nisNetgroup
The LDAP attribute that corresponds to the netgroup name.
In IPA provider, ipa_netgroup_name should be used instead.
Default: cn
The LDAP attribute that contains the names of the netgroup's members.
In IPA provider, ipa_netgroup_member should be used instead.
Default: memberNisNetgroup
The LDAP attribute that contains the (host, user, domain) netgroup triples.
This option is not available in IPA provider.
Default: nisNetgroupTriple
The LDAP attribute that contains timestamp of the last modification of the parent object.
This option is not available in IPA provider.
Default: modifyTimestamp
The object class of a host entry in LDAP.
Default: ipService
The LDAP attribute that corresponds to the host's name.
Default: cn
The LDAP attribute that corresponds to the host's fully-qualified domain name.
Default: fqdn
The LDAP attribute that corresponds to the host's name.
Default: serverHostname
The LDAP attribute that lists the host's group memberships.
Default: memberOf
The LDAP attribute that contains the host's SSH public keys.
Default: sshPublicKey
The LDAP attribute that contains the UUID/GUID of an LDAP host object.
Default: not set
The object class of a service entry in LDAP.
Default: ipService
The LDAP attribute that contains the name of service attributes and their aliases.
Default: cn
The LDAP attribute that contains the port managed by this service.
Default: ipServicePort
The LDAP attribute that contains the protocols understood by this service.
Default: ipServiceProtocol
The object class of a sudo rule entry in LDAP.
Default: sudoRole
The LDAP attribute that corresponds to the sudo rule name.
Default: cn
The LDAP attribute that corresponds to the command name.
Default: sudoCommand
The LDAP attribute that corresponds to the host name (or host IP address, host IP network, or host netgroup)
Default: sudoHost
The LDAP attribute that corresponds to the user name (or UID, group name or user's netgroup)
Default: sudoUser
The LDAP attribute that corresponds to the sudo options.
Default: sudoOption
The LDAP attribute that corresponds to the user name that commands may be run as.
Default: sudoRunAsUser
The LDAP attribute that corresponds to the group name or group GID that commands may be run as.
Default: sudoRunAsGroup
The LDAP attribute that corresponds to the start date/time for when the sudo rule is valid.
Default: sudoNotBefore
The LDAP attribute that corresponds to the expiration date/time, after which the sudo rule will no longer be valid.
Default: sudoNotAfter
The LDAP attribute that corresponds to the ordering index of the rule.
Default: sudoOrder
The object class of an automount map entry in LDAP.
Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap
The name of an automount map entry in LDAP.
Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName
The object class of an automount entry in LDAP. The entry usually corresponds to a mount point.
Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount
The key of an automount entry in LDAP. The entry usually corresponds to a mount point.
Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey
The key of an automount entry in LDAP. The entry usually corresponds to a mount point.
Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise automountInformation
sssd(8), sssd.conf(5), sssd-ldap(5), sssd-krb5(5), sssd-simple(5), sssd-ipa(5), sssd-ad(5), sssd-files(5), sssd-sudo(5), sssd-secrets(5), sssd-session-recording(5), sss_cache(8), sss_debuglevel(8), sss_groupadd(8), sss_groupdel(8), sss_groupshow(8), sss_groupmod(8), sss_useradd(8), sss_userdel(8), sss_usermod(8), sss_obfuscate(8), sss_seed(8), sssd_krb5_locator_plugin(8), sss_ssh_authorizedkeys(8), sss_ssh_knownhostsproxy(8), sssd-ifp(5), pam_sss(8). sss_rpcidmapd(5) sssd-systemtap(5)