此内容没有您所选择的语言版本。

13.2.15. Domain Options: Setting Username Formats


One of the primary actions that SSSD performs is mapping a local system user to an identity in the remote identity provider. SSSD uses a combination of the user name and the domain back end name to create the login identity.
As long as they belong to different domains, SSSD can recognize different users with the same user name. For example, SSSD can successfully authenticate both jsmith in the ldap.example.com domain and jsmith in the ldap.otherexample.com domain.
The name format used to construct full user name is (optionally) defined universally in the [sssd] section of the configuration and can then be defined individually in each domain section.
Usernames for different services — LDAP, Samba, Active Directory, Identity Management, even the local system — all have different formats. The expression that SSSD uses to identify user name/domain name sets must be able to interpret names in different formats. This expression is set in the re_expression parameter.
In the global default, this filter constructs a name in the form name@domain:
(?P<name>[^@]+)@?(?P<domain>[^@]*$)

Note

The regular expression format is Python syntax.
The domain part may be supplied automatically, based on the domain name of the identity provider. Therefore, a user can log in as jsmith and if the user belongs to the LOCAL domain (for example), then his user name is interpreted by SSSD as jsmith@LOCAL.
However, other identity providers may have other formats. Samba, for example, has a very strict format so that user name must match the form DOMAIN\username. For Samba, then, the regular expression must be:
(?P<domain>[^\\]*?)\\?(?P<name>[^\\]+$)
Some providers, such as Active Directory, support multiple different name formats. Active Directory and Identity Management, for example, support three different formats by default:
  • username
  • username@domain.name
  • DOMAIN\username
The default value for Active Directory and Identity Management providers, then, is a more complex filter that allows all three name formats:
(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$)) 

Note

Requesting information with the fully-qualified name, such as jsmith@ldap.example.com, always returns the proper user account. If there are multiple users with the same user name in different domains, specifying only the user name returns the user for whichever domain comes first in the lookup order.
While re_expression is the most important method for setting user name formats, there are two other options which are useful for other applications.
Default Domain Name Value

The first sets a default domain name to be used with all users, default_domain_suffix. (This is a global setting, available in the [sssd] section only.) There may be a case where multiple domains are configured but only one stores user data and the others are used for host or service identities. Setting a default domain name allows users to log in with only their user name, not specifying the domain name (which would be required for users outside the primary domain).

[sssd]
...
default_domain_suffix = USERS.EXAMPLE.COM
Full Name Format for Output

The other parameter is related to re_expression, only instead of defining how to interpret a user name, it defines how to print an identified name. The full_name_format parameter sets how the user name and domain name (once determined) are displayed.

full_name_format = %1$s@%2$s
Red Hat logoGithubRedditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

© 2024 Red Hat, Inc.