diff --git a/doc/source/security/kubernetes/sssd-support-5fb6c4b0320b.rst b/doc/source/security/kubernetes/sssd-support-5fb6c4b0320b.rst index 4bca576f2..562d56e3d 100644 --- a/doc/source/security/kubernetes/sssd-support-5fb6c4b0320b.rst +++ b/doc/source/security/kubernetes/sssd-support-5fb6c4b0320b.rst @@ -97,13 +97,13 @@ Commands to add mandatory parameters for a remote ldap domain: # is “identity” for all domains. # identifies a domain as either “ldap-domain1”, “ldap-domain2” or “ldap-domain3”. - E.g.: + Example: system service-parameter-add identity ldap-domain1 domain_name=ad.wad-server.com system service-parameter-add identity ldap-domain1 ldap_uri=ldaps://ad.wad-server.com - system service-parameter-add identity ldap-domain1 ldap_access_filter=memberOf=CN=WRCP_Admin,CN=Users,DC=wad-server,DC=com + system service-parameter-add identity ldap-domain1 ldap_access_filter=memberOf=CN=allowedusers,CN=Users,DC=wad-server,DC=com system service-parameter-add identity ldap-domain1 ldap_search_base=CN=Users,DC=wad-server,DC=com @@ -111,6 +111,22 @@ Commands to add mandatory parameters for a remote ldap domain: system service-parameter-add identity ldap-domain1 ldap_default_authtok =Passw0rd* +.. note:: + + The ``ldap_access_filter`` service parameter can be configured to allow + access to the Linux host. In the following example, the access is + restricted to members of the group ``allowedusers``. Users that are not + part of ``allowedusers`` will get the message ``Authentication failed``. + Here, ``allowedusers`` is an example of a |WAD| group. + + .. code-block:: none + + system service-parameter-add identity ldap-domain1 ldap_access_filter=memberOf=CN=allowedusers,CN=Users,DC=wad-1,DC=cumulus,DC=wrs,DC=com + + The ``allowedusers`` group is a |WAD| group where the ``gidNumber`` + |LDAP| attribute must be set to a unique group number among Linux groups so + that it is mapped on the Linux platform as a Linux |LDAP| group with a + unique ``gid`` value. Optional Parameters -------------------