481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek# SOME DESCRIPTIVE TITLE
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek# Copyright (C) YEAR Red Hat
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek# This file is distributed under the same license as the sssd-docs package.
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek# Translators:
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"Project-Id-Version: sssd-docs 1.15.3\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"POT-Creation-Date: 2018-03-09 12:30+0100\n"
ad805face83ba7d67b1cf2067a1982c7e63d1060Jakub Hrozek"PO-Revision-Date: 2014-12-14 11:55-0500\n"
ad805face83ba7d67b1cf2067a1982c7e63d1060Jakub Hrozek"Last-Translator: Copied by Zanata <copied-by-zanata@zanata.org>\n"
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek"Language-Team: Basque (http://www.transifex.com/projects/p/sssd/language/"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Language: eu\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"MIME-Version: 1.0\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Content-Type: text/plain; charset=UTF-8\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Content-Transfer-Encoding: 8bit\n"
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek"Plural-Forms: nplurals=2; plural=(n != 1);\n"
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"X-Generator: Zanata 3.9.6\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#: sssd_krb5_locator_plugin.8.xml:5 sssd-simple.5.xml:5 sss-certmap.5.xml:5
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#: sssd-ipa.5.xml:5 sssd-ad.5.xml:5 sssd-sudo.5.xml:5 sssd.8.xml:5
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#: sss_obfuscate.8.xml:5 sss_override.8.xml:5 sss_useradd.8.xml:5
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#: sssd-krb5.5.xml:5 sss_groupadd.8.xml:5 sss_userdel.8.xml:5
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#: sss_groupdel.8.xml:5 sss_groupshow.8.xml:5 sss_usermod.8.xml:5
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#: sss_cache.8.xml:5 sss_debuglevel.8.xml:5 sss_seed.8.xml:5 sssd-ifp.5.xml:5
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5
d25fa6f2608d5fe0617ada47f9d426f45deb96ffJakub Hrozek#: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#: sssd-files.5.xml:5 sssd-secrets.5.xml:5 sssd-session-recording.5.xml:5
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "SSSD Manual pages"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "sss_groupmod"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refmeta><manvolnum>
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek#: sss_groupmod.8.xml:11 pam_sss.8.xml:12 sssd_krb5_locator_plugin.8.xml:11
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#: sssd.8.xml:11 sss_obfuscate.8.xml:11 sss_override.8.xml:11
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#: sss_useradd.8.xml:11 sss_groupadd.8.xml:11 sss_userdel.8.xml:11
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#: sss_groupdel.8.xml:11 sss_groupshow.8.xml:11 sss_usermod.8.xml:11
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#: sss_cache.8.xml:11 sss_debuglevel.8.xml:11 sss_seed.8.xml:11
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#: idmap_sss.8.xml:11 sssctl.8.xml:11 sssd-kcm.8.xml:11
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "modify a group"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sss_groupmod</command> <arg choice='opt'> <replaceable>options</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:57
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sss-certmap.5.xml:21
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#: sssd-ipa.5.xml:21 sssd-ad.5.xml:21 sssd-sudo.5.xml:21 sssd.8.xml:29
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#: sss_obfuscate.8.xml:30 sss_override.8.xml:30 sss_useradd.8.xml:30
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#: sss_groupdel.8.xml:30 sss_groupshow.8.xml:30 sss_usermod.8.xml:30
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#: sss_cache.8.xml:29 sss_debuglevel.8.xml:30 sss_seed.8.xml:31
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#: sssd-ifp.5.xml:21 sss_ssh_authorizedkeys.1.xml:30
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#: sss_ssh_knownhostsproxy.1.xml:31 idmap_sss.8.xml:20 sssctl.8.xml:30
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#: sssd-files.5.xml:21 sssd-secrets.5.xml:21 sssd-session-recording.5.xml:21
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "DESCRIPTION"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sss_groupmod</command> modifies the group to reflect the changes "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"that are specified on the command line."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek#: sss_groupmod.8.xml:39 pam_sss.8.xml:64 sssd.8.xml:42 sss_obfuscate.8.xml:58
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#: sss_cache.8.xml:39 sss_seed.8.xml:42 sss_ssh_authorizedkeys.1.xml:66
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "OPTIONS"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<option>-a</option>,<option>--append-group</option> <replaceable>GROUPS</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Append this group to groups specified by the <replaceable>GROUPS</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"a comma separated list of group names."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<option>-r</option>,<option>--remove-group</option> <replaceable>GROUPS</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Remove this group from groups specified by the <replaceable>GROUPS</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable> parameter."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refmeta><manvolnum>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#: sss-certmap.5.xml:11 sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#: sssd-krb5.5.xml:11 sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#: sssd-files.5.xml:11 sssd-secrets.5.xml:11 sssd-session-recording.5.xml:11
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refmeta><refmiscinfo>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#: sss-certmap.5.xml:12 sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#: sssd-krb5.5.xml:12 sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#: sssd-files.5.xml:12 sssd-secrets.5.xml:12 sssd-session-recording.5.xml:12
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "File Formats and Conventions"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "the configuration file for SSSD"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "FILE FORMAT"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><programlisting>
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"<replaceable>[section]</replaceable>\n"
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"<replaceable>key</replaceable> = <replaceable>value</replaceable>\n"
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"<replaceable>key2</replaceable> = <replaceable>value2,value3</replaceable>\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The file has an ini-style syntax and consists of sections and parameters. A "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"section begins with the name of the section in square brackets and continues "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"until the next section begins. An example of section with single and multi-"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"valued parameters: <placeholder type=\"programlisting\" id=\"0\"/>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The data types used are string (no quotes needed), integer and bool (with "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"values of <quote>TRUE/FALSE</quote>)."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"A line comment starts with a hash sign (<quote>#</quote>) or a semicolon "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"(<quote>;</quote>). Inline comments are not supported."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"All sections can have an optional <replaceable>description</replaceable> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"parameter. Its function is only as a label for the section."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<filename>sssd.conf</filename> must be a regular file, owned by root and "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"only root may read from or write to the file."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
d25fa6f2608d5fe0617ada47f9d426f45deb96ffJakub Hrozekmsgid "CONFIGURATION SNIPPETS FROM INCLUDE DIRECTORY"
d25fa6f2608d5fe0617ada47f9d426f45deb96ffJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
d25fa6f2608d5fe0617ada47f9d426f45deb96ffJakub Hrozek"The configuration file <filename>sssd.conf</filename> will include "
d25fa6f2608d5fe0617ada47f9d426f45deb96ffJakub Hrozek"configuration snippets using the include directory <filename>conf.d</"
d25fa6f2608d5fe0617ada47f9d426f45deb96ffJakub Hrozek"filename>. This feature is available if SSSD was compiled with libini "
d25fa6f2608d5fe0617ada47f9d426f45deb96ffJakub Hrozek"version 1.3.0 or later."
d25fa6f2608d5fe0617ada47f9d426f45deb96ffJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
d25fa6f2608d5fe0617ada47f9d426f45deb96ffJakub Hrozek"Any file placed in <filename>conf.d</filename> that ends in "
d25fa6f2608d5fe0617ada47f9d426f45deb96ffJakub Hrozek"<quote><filename>.conf</filename></quote> and does not begin with a dot "
d25fa6f2608d5fe0617ada47f9d426f45deb96ffJakub Hrozek"(<quote>.</quote>) will be used together with <filename>sssd.conf</filename> "
d25fa6f2608d5fe0617ada47f9d426f45deb96ffJakub Hrozek"to configure SSSD."
d25fa6f2608d5fe0617ada47f9d426f45deb96ffJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
d25fa6f2608d5fe0617ada47f9d426f45deb96ffJakub Hrozek"The configuration snippets from <filename>conf.d</filename> have higher "
d25fa6f2608d5fe0617ada47f9d426f45deb96ffJakub Hrozek"priority than <filename>sssd.conf</filename> and will override "
d25fa6f2608d5fe0617ada47f9d426f45deb96ffJakub Hrozek"<filename>sssd.conf</filename> when conflicts occur. If several snippets are "
d25fa6f2608d5fe0617ada47f9d426f45deb96ffJakub Hrozek"present in <filename>conf.d</filename>, then they are included in "
d25fa6f2608d5fe0617ada47f9d426f45deb96ffJakub Hrozek"alphabetical order (based on locale). Files included later have higher "
d25fa6f2608d5fe0617ada47f9d426f45deb96ffJakub Hrozek"priority. Numerical prefixes (<filename>01_snippet.conf</filename>, "
d25fa6f2608d5fe0617ada47f9d426f45deb96ffJakub Hrozek"<filename>02_snippet.conf</filename> etc.) can help visualize the priority "
d25fa6f2608d5fe0617ada47f9d426f45deb96ffJakub Hrozek"(higher number means higher priority)."
d25fa6f2608d5fe0617ada47f9d426f45deb96ffJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
d25fa6f2608d5fe0617ada47f9d426f45deb96ffJakub Hrozek"The snippet files require the same owner and permissions as <filename>sssd."
d25fa6f2608d5fe0617ada47f9d426f45deb96ffJakub Hrozek"conf</filename>. Which are by default root:root and 0600."
d25fa6f2608d5fe0617ada47f9d426f45deb96ffJakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "GENERAL OPTIONS"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "Following options are usable in more than one configuration sections."
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><title>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "Options usable in all sections"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "debug_level (integer)"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozekmsgid "debug (integer)"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"SSSD 1.14 and later also includes the <replaceable>debug</replaceable> alias "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"for <replaceable>debug_level</replaceable> as a convenience feature. If both "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"are specified, the value of <replaceable>debug_level</replaceable> will be "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozekmsgid "debug_timestamps (bool)"
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek"Add a timestamp to the debug messages. If journald is enabled for SSSD "
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek"debug logging this option is ignored."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#: sssd.conf.5.xml:133 sssd.conf.5.xml:543 sssd.conf.5.xml:837
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd.conf.5.xml:1474 sssd-ldap.5.xml:1840 sssd-ldap.5.xml:1937
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd-ldap.5.xml:1999 sssd-ldap.5.xml:2565 sssd-ldap.5.xml:2630
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd-ldap.5.xml:2648 sssd-ad.5.xml:224 sssd-ad.5.xml:338 sssd-ad.5.xml:882
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#: sssd-krb5.5.xml:499 sssd-secrets.5.xml:351 sssd-secrets.5.xml:364
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "Default: true"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "debug_microseconds (bool)"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek"Add microseconds to the timestamp in debug messages. If journald is enabled "
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek"for SSSD debug logging this option is ignored."
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#: sssd.conf.5.xml:146 sssd.conf.5.xml:540 sssd.conf.5.xml:721
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd.conf.5.xml:1407 sssd.conf.5.xml:2925 sssd-ldap.5.xml:708
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd-ldap.5.xml:1714 sssd-ldap.5.xml:1733 sssd-ldap.5.xml:1909
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd-ldap.5.xml:2335 sssd-ipa.5.xml:151 sssd-ipa.5.xml:238
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd-ipa.5.xml:559 sssd-krb5.5.xml:266 sssd-krb5.5.xml:300
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "Default: false"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd.conf.5.xml:106 sssd.conf.5.xml:157 sssd-ldap.5.xml:2373
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#: sssd-systemtap.5.xml:82 sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:210
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#: sssd-systemtap.5.xml:248 sssd-systemtap.5.xml:304
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "<placeholder type=\"variablelist\" id=\"0\"/>"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><title>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "Options usable in SERVICE and DOMAIN sections"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "timeout (integer)"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"Timeout in seconds between heartbeats for this service. This is used to "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"ensure that the process is alive and capable of answering requests. Note "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"that after three missed heartbeats the process will terminate itself."
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd.conf.5.xml:169 sssd.conf.5.xml:1359 sssd.conf.5.xml:2941
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd-ldap.5.xml:1585 include/ldap_id_mapping.xml:264
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "Default: 10"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "SPECIAL SECTIONS"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The [sssd] section"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Section parameters"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "config_file_version (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Indicates what is the syntax of the config file. SSSD 0.6.0 and later use "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "services"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"Comma separated list of services that are started when sssd itself starts. "
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"<phrase condition=\"have_systemd\"> The services' list is optional on "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"platforms where systemd is supported, as they will either be socket or D-Bus "
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"activated when needed. </phrase>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Supported services: nss, pam <phrase condition=\"with_sudo\">, sudo</phrase> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<phrase condition=\"with_autofs\">, autofs</phrase> <phrase condition="
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"\"with_ssh\">, ssh</phrase> <phrase condition=\"with_pac_responder\">, pac</"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"phrase> <phrase condition=\"with_ifp\">, ifp</phrase>"
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"<phrase condition=\"have_systemd\"> By default, all services are disabled "
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"and the administrator must enable the ones allowed to be used by executing: "
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"\"systemctl enable sssd-@service@.socket\". </phrase>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "reconnection_retries (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Number of times services should attempt to reconnect in the event of a Data "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Provider crash or restart before they give up"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: 3"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "domains"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"A domain is a database containing user information. SSSD can use more "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"domains at the same time, but at least one must be configured or SSSD won't "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"start. This parameter describes the list of domains in the order you want "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"them to be queried. A domain name should only consist of alphanumeric ASCII "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"characters, dashes, dots and underscores."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "re_expression (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Default regular expression that describes how to parse the string containing "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"user name and domain into these components."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"Each domain can have an individual regular expression configured. For some "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"ID providers there are also default regular expressions. See DOMAIN SECTIONS "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"for more info on these regular expressions."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "full_name_format (string)"
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"manvolnum> </citerefentry>-compatible format that describes how to compose a "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"fully qualified name from user name and domain name components."
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozekmsgid "user name"
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozekmsgid "domain name as specified in the SSSD config file."
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"domain flat name. Mostly usable for Active Directory domains, both directly "
0172959f117b545c8a6b1893f5f56818d82dd624Jakub Hrozek"configured or discovered via IPA trusts."
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"The following expansions are supported: <placeholder type=\"variablelist\" "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Each domain can have an individual format string configured. see DOMAIN "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"SECTIONS for more info on this option."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "try_inotify (boolean)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"SSSD monitors the state of resolv.conf to identify when it needs to update "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"its internal DNS resolver. By default, we will attempt to use inotify for "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"this, and will fall back to polling resolv.conf every five seconds if "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"inotify cannot be used."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"There are some limited situations where it is preferred that we should skip "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"even trying to use inotify. In these rare cases, this option should be set "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Default: true on platforms where inotify is supported. False on other "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Note: this option will have no effect on platforms where inotify is "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"unavailable. On these platforms, polling will always be used."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "krb5_rcache_dir (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Directory on the filesystem where SSSD should store Kerberos replay cache "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"SSSD to let libkrb5 decide the appropriate location for the replay cache."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Default: Distribution-specific and specified at build-time. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"(__LIBKRB5_DEFAULTS__ if not configured)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozekmsgid "user (string)"
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek"The user to drop the privileges to where appropriate to avoid running as the "
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"root user. <phrase condition=\"have_systemd\"> This option does not work "
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"when running socket-activated services, as the user set up to run the "
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"processes is set up during compilation time. The way to override the "
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"systemd unit files is by creating the appropriate files in /etc/systemd/"
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"system/. Keep in mind that any change in the socket user, group or "
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"permissions may result in a non-usable SSSD. The same may occur in case of "
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"changes of the user running the NSS responder. </phrase>"
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozekmsgid "Default: not set, process will run as root"
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozekmsgid "default_domain_suffix (string)"
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"This string will be used as a default domain name for all names without a "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"domain name component. The main use case is environments where the primary "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"domain is intended for managing host policies and all users are located in a "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"trusted domain. The option allows those users to log in just with their "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"user name without giving a domain name as well."
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"Please note that if this option is set all users from the primary domain "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"have to use their fully qualified name, e.g. user@domain.name, to log in. "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"Setting this option changes default of use_fully_qualified_names to True. It "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"is not allowed to use this option together with use_fully_qualified_names "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"set to False."
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd.conf.5.xml:418 sssd.conf.5.xml:1163 sssd-ldap.5.xml:679
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd-ldap.5.xml:1319 sssd-ldap.5.xml:1673 sssd-ldap.5.xml:1685
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd-ldap.5.xml:1767 sssd-ad.5.xml:687 sssd-ad.5.xml:762 sssd.8.xml:126
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd-krb5.5.xml:410 sssd-krb5.5.xml:556 sssd-secrets.5.xml:339
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd-secrets.5.xml:377 sssd-secrets.5.xml:390 sssd-secrets.5.xml:404
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd-secrets.5.xml:415 include/ldap_id_mapping.xml:205
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozekmsgid "Default: not set"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "override_space (string)"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"This parameter will replace spaces (space bar) with the given character for "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"user and group names. e.g. (_). User name "john doe" will be "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek""john_doe" This feature was added to help compatibility with shell "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"scripts that have difficulty handling spaces, due to the default field "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"separator in the shell."
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"Please note it is a configuration error to use a replacement character that "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"might be used in user or group names. If a name contains the replacement "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"character SSSD tries to return the unmodified name but in general the result "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"of a lookup is undefined."
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "Default: not set (spaces will not be replaced)"
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozekmsgid "certificate_verification (string)"
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozekmsgid "no_ocsp"
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"Disables Online Certificate Status Protocol (OCSP) checks. This might be "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"needed if the OCSP servers defined in the certificate are not reachable from "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"the client."
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozekmsgid "no_verification"
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"Disables verification completely. This option should only be used for "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozekmsgid "ocsp_default_responder=URL"
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"Sets the OCSP default responder which should be used instead of the one "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"mentioned in the certificate. URL must be replaced with the URL of the OCSP "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"default responder e.g. http://example.com:80/ocsp."
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"This option must be used together with ocsp_default_responder_signing_cert."
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozekmsgid "ocsp_default_responder_signing_cert=NAME"
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"The nickname of the cert to trust (expected) to sign the OCSP responses. "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"The certificate with the given nickname must be available in the systems NSS "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozekmsgid "This option must be used together with ocsp_default_responder."
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"With this parameter the certificate verification can be tuned with a comma "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"separated list of options. Supported options are: <placeholder type="
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"\"variablelist\" id=\"0\"/>"
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozekmsgid "Unknown options are reported but ignored."
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
ad805face83ba7d67b1cf2067a1982c7e63d1060Jakub Hrozekmsgid "Default: not set, i.e. do not restrict certificate verification"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozekmsgid "disable_netlink (boolean)"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"SSSD hooks into the netlink interface to monitor changes to routes, "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"addresses, links and trigger certain actions."
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"The SSSD state changes caused by netlink events may be undesirable and can "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"be disabled by setting this option to 'true'"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozekmsgid "Default: false (netlink changes are detected)"
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozekmsgid "enable_files_domain (boolean)"
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek"When this option is enabled, SSSD prepends an implicit domain with "
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek"<quote>id_provider=files</quote> before any explicitly configured domains."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "domain_resolution_order"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"Comma separated list of domains and subdomains representing the lookup order "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"that will be followed. The list doesn't have to include all possible "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"domains as the missing domains will be looked up based on the order they're "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"presented in the <quote>domains</quote> configuration option. The "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"subdomains which are not listed as part of <quote>lookup_order</quote> will "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"be looked up in a random order for each parent domain."
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"Please, note that when this option is set the output format of all commands "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"is always fully-qualified even when using short names for input. In case "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"the administrator wants the output not fully-qualified, the full_name_format "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"option can be used as shown below: <quote>full_name_format=%1$s</quote> "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"However, keep in mind that during login, login applications often "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"canonicalize the username by calling <citerefentry> <refentrytitle>getpwnam</"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"refentrytitle> <manvolnum>3</manvolnum> </citerefentry> which, if a "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"shortname is returned for a qualified input (while trying to reach a user "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"which exists in multiple domains) might re-route the login attempt into the "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"domain which users shortnames, making this workaround totally not "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"recommended in cases where usernames may overlap between domains."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd.conf.5.xml:587 sssd.conf.5.xml:1371 sssd.conf.5.xml:2991
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd-ad.5.xml:161 sssd-ad.5.xml:299 sssd-ad.5.xml:313
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "Default: Not set"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Individual pieces of SSSD functionality are provided by special SSSD "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"services that are started and stopped together with SSSD. The services are "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"managed by a special service frequently called <quote>monitor</quote>. The "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<quote>[sssd]</quote> section is used to configure the monitor as well as "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"some other important options like the identity domains. <placeholder type="
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"\"variablelist\" id=\"0\"/>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "SERVICES SECTIONS"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Settings that can be used to configure different services are described in "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"this section. They should reside in the [<replaceable>$NAME</replaceable>] "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"section, for example, for NSS service, the section would be <quote>[nss]</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "General service configuration options"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "These options can be used to configure any service."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "fd_limit"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This option specifies the maximum number of file descriptors that may be "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"opened at one time by this SSSD process. On systems where SSSD is granted "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"the CAP_SYS_RESOURCE capability, this will be an absolute setting. On "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"systems without this capability, the resulting value will be the lower value "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"of this or the limits.conf \"hard\" limit."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: 8192 (or limits.conf \"hard\" limit)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "client_idle_timeout"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This option specifies the number of seconds that a client of an SSSD process "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"can hold onto a file descriptor without communicating on it. This value is "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"limited in order to avoid resource exhaustion on the system. The timeout "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"can't be shorter than 10 seconds. If a lower value is configured, it will be "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"adjusted to 10 seconds."
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#: sssd.conf.5.xml:655 sssd.conf.5.xml:687 sssd.conf.5.xml:968
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozekmsgid "Default: 60"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "offline_timeout (integer)"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"When SSSD switches to offline mode the amount of time before it tries to go "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"back online will increase based upon the time spent disconnected. This "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"value is in seconds and calculated by the following:"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "offline_timeout + random_offset"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"The random offset can increment up to 30 seconds. After each unsuccessful "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"attempt to go online, the new interval is recalculated by the following:"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "new_interval = old_interval*2 + random_offset"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"Note that the maximum length of each interval is currently limited to one "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"hour. If the calculated length of new_interval is greater than an hour, it "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"will be forced to one hour."
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozekmsgid "responder_idle_timeout"
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"This option specifies the number of seconds that an SSSD responder process "
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"can be up without being used. This value is limited in order to avoid "
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"resource exhaustion on the system. The minimum acceptable value for this "
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"option is 60 seconds. Setting this option to 0 (zero) means that no timeout "
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"will be set up to the responder. This option only has effect when SSSD is "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"built with systemd support and when services are either socket or D-Bus "
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd.conf.5.xml:709 sssd.conf.5.xml:981 sssd.conf.5.xml:1566
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozekmsgid "Default: 300"
4c9419d98b89a6161a3dde11f9f80be39d12e72aJakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
4c9419d98b89a6161a3dde11f9f80be39d12e72aJakub Hrozekmsgid "cache_first"
4c9419d98b89a6161a3dde11f9f80be39d12e72aJakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
4c9419d98b89a6161a3dde11f9f80be39d12e72aJakub Hrozek"This option specifies whether the responder should query all caches before "
4c9419d98b89a6161a3dde11f9f80be39d12e72aJakub Hrozek"querying the Data Providers."
4c9419d98b89a6161a3dde11f9f80be39d12e72aJakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "NSS configuration options"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"These options can be used to configure the Name Service Switch (NSS) service."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "enum_cache_timeout (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"How many seconds should nss_sss cache enumerations (requests for info about "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: 120"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "entry_cache_nowait_percentage (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The entry cache can be set to automatically update entries in the background "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"if they are requested beyond a percentage of the entry_cache_timeout value "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"for the domain."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"For example, if the domain's entry_cache_timeout is set to 30s and "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"after 15 seconds past the last cache update will be returned immediately, "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"but the SSSD will go and update the cache on its own, so that future "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"requests will not need to block waiting for a cache update."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Valid values for this option are 0-99 and represent a percentage of the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"entry_cache_timeout for each domain. For performance reasons, this "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"percentage will never reduce the nowait timeout to less than 10 seconds. (0 "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"disables this feature)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: 50"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "entry_negative_timeout (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies for how many seconds nss_sss should cache negative cache hits "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"(that is, queries for invalid database entries, like nonexistent ones) "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"before asking the back end again."
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: 15"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozekmsgid "local_negative_timeout (integer)"
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"Specifies for how many seconds nss_sss should keep local users and groups in "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"negative cache before trying to look it up in the back end again."
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd.conf.5.xml:802 sssd.conf.5.xml:1217 sssd.conf.5.xml:2846 sssd.8.xml:79
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozekmsgid "Default: 0"
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "filter_users, filter_groups (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"Exclude certain users or groups from being fetched from the sss NSS "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"database. This is particularly useful for system accounts. This option can "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"also be set per-domain or include fully-qualified names to filter only users "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"from the particular domain."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"NOTE: The filter_groups option doesn't affect inheritance of nested group "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"members, since filtering happens after they are propagated for returning via "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"NSS. E.g. a group having a member group filtered out will still have the "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"member users of the latter listed."
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: root"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "filter_users_in_groups (bool)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If you want filtered user still be group members set this option to false."
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozekmsgid "fallback_homedir (string)"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"Set a default template for a user's home directory if one is not specified "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"explicitly by the domain's data provider."
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"The available values for this option are the same as for override_homedir."
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"fallback_homedir = /home/%u\n"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd.conf.5.xml:856 sssd.conf.5.xml:1296 sssd.conf.5.xml:1315
4c9419d98b89a6161a3dde11f9f80be39d12e72aJakub Hrozek#: sssd-krb5.5.xml:539 include/override_homedir.xml:59
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: not set (no substitution for unset home directories)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "override_shell (string)"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"Override the login shell for all users. This option supersedes any other "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"shell options if it takes effect and can be set either in the [nss] section "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"or per-domain."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "Default: not set (SSSD will use the value retrieved from LDAP)"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "allowed_shells (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Restrict user shell to one of the listed values. The order of evaluation is:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"quote>, use the value of the shell_fallback parameter."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"shells</quote>, a nologin shell is used."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozekmsgid "The wildcard (*) can be used to allow any shell."
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek"The (*) is useful if you want to use shell_fallback in case that user's "
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek"shell is not in <quote>/etc/shells</quote> and maintaining list of all "
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek"allowed shells in allowed_shells would be to much overhead."
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "An empty string for shell is passed as-is to libc."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"that a restart of the SSSD is required in case a new shell is installed."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: Not set. The user shell is automatically used."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "vetoed_shells (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Replace any instance of these shells with the shell_fallback"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "shell_fallback (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The default shell to use if an allowed shell is not installed on the machine."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: /bin/sh"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "default_shell"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The default shell to use if the provider does not return one during lookup. "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"This option can be specified globally in the [nss] section or per-domain."
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Default: not set (Return NULL if no shell is specified and rely on libc to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"substitute something sensible when necessary, usually /bin/sh)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "get_domains_timeout (int)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies time in seconds for which the list of subdomains will be "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"considered valid."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "memcache_timeout (int)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies time in seconds for which records in the in-memory cache will be "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"valid. Setting this option to zero will disable the in-memory cache."
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"WARNING: Disabling the in-memory cache will have significant negative impact "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"on SSSD's performance and should only be used for testing."
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"client applications will not use the fast in-memory cache."
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozekmsgid "user_attributes (string)"
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek"Some of the additional NSS responder requests can return more attributes "
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek"than just the POSIX ones defined by the NSS interface. The list of "
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek"attributes is controlled by this option. It is handled the same way as the "
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek"<quote>user_attributes</quote> option of the InfoPipe responder (see "
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</"
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek"manvolnum> </citerefentry> for details) but with no default values."
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek"To make configuration more easy the NSS responder will check the InfoPipe "
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek"option if it is not set for the NSS responder."
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozekmsgid "Default: not set, fallback to InfoPipe option"
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozekmsgid "pwfield (string)"
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek"The value that NSS operations that return users or groups will return for "
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek"the <quote>password</quote> field."
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek#. type: Content of: <varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd.conf.5.xml:1032 include/override_homedir.xml:56
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozekmsgid "This option can also be set per-domain."
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek"Default: <quote>*</quote> (remote domains) or <quote>x</quote> (the files "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "PAM configuration options"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"These options can be used to configure the Pluggable Authentication Module "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"(PAM) service."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "offline_credentials_expiration (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If the authentication provider is offline, how long should we allow cached "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"logins (in days since the last successful online login)."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: 0 (No limit)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "offline_failed_login_attempts (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If the authentication provider is offline, how many failed login attempts "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"are allowed."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "offline_failed_login_delay (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The time in minutes which has to pass after offline_failed_login_attempts "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"has been reached before a new login attempt is possible."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If set to 0 the user cannot authenticate offline if "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"offline_failed_login_attempts has been reached. Only a successful online "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"authentication can enable offline authentication again."
d6d50c17e94dc0d3000345e8a933311c14bbb828Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: 5"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "pam_verbosity (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Controls what kind of messages are shown to the user during authentication. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The higher the number to more messages are displayed."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Currently sssd supports the following values:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<emphasis>0</emphasis>: do not show any message"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<emphasis>1</emphasis>: show only important messages"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<emphasis>2</emphasis>: show informational messages"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<emphasis>3</emphasis>: show all messages and debug information"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: 1"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozekmsgid "pam_response_filter (integer)"
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"A comma separated list of strings which allows to remove (filter) data sent "
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"by the PAM responder to pam_sss PAM module. There are different kind of "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"responses sent to pam_sss e.g. messages displayed to the user or environment "
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"variables which should be set by pam_sss."
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"While messages already can be controlled with the help of the pam_verbosity "
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"option this option allows to filter out other kind of responses as well."
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "Do not send any environment variables to any service."
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozekmsgid "ENV:var_name"
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "Do not send environment variable var_name to any service."
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozekmsgid "ENV:var_name:service"
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "Do not send environment variable var_name to service."
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"Currently the following filters are supported: <placeholder type="
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"\"variablelist\" id=\"0\"/>"
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozekmsgid "Example: ENV:KRB5CCNAME:sudo-i"
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "pam_id_timeout (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"For any PAM request while SSSD is online, the SSSD will attempt to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"immediately update the cached identity information for the user in order to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"ensure that authentication takes place with the latest information."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"A complete PAM conversation may perform multiple PAM requests, such as "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"account management and session opening. This option controls (on a per-"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"client-application basis) how long (in seconds) we can cache the identity "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"information to avoid excessive round-trips to the identity provider."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "pam_pwd_expiration_warning (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Display a warning N days before the password expires."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Please note that the backend server has to provide information about the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"expiration time of the password. If this information is missing, sssd "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"cannot display a warning."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If zero is set, then this filter is not applied, i.e. if the expiration "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"warning was received from backend server, it will automatically be displayed."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This setting can be overridden by setting <emphasis>pwd_expiration_warning</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"emphasis> for a particular domain."
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozekmsgid "pam_trusted_users (string)"
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek"Specifies the comma-separated list of UID values or user names that are "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"allowed to run PAM conversations against trusted domains. Users not "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"included in this list can only access domains marked as public with "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"<quote>pam_public_domains</quote>. User names are resolved to UIDs at "
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozekmsgid "Default: All users are considered trusted by default"
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek"Please note that UID 0 is always allowed to access the PAM responder even in "
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek"case it is not in the pam_trusted_users list."
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozekmsgid "pam_public_domains (string)"
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek"Specifies the comma-separated list of domain names that are accessible even "
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek"to untrusted users."
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozekmsgid "Two special values for pam_public_domains option are defined:"
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek"all (Untrusted users are allowed to access all domains in PAM responder.)"
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek"none (Untrusted users are not allowed to access any domains PAM in "
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek"responder.)"
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd.conf.5.xml:1277 sssd.conf.5.xml:1302 sssd.conf.5.xml:1321
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd.conf.5.xml:1825 sssd.conf.5.xml:2782 sssd-ldap.5.xml:1968
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozekmsgid "Default: none"
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozekmsgid "pam_account_expired_message (string)"
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"Allows a custom expiration message to be set, replacing the default "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"'Permission denied' message."
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"Note: Please be aware that message is only printed for the SSH service "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"unless pam_verbosity is set to 3 (show all messages and debug information)."
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"pam_account_expired_message = Account expired, please contact help desk.\n"
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozekmsgid "pam_account_locked_message (string)"
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"Allows a custom lockout message to be set, replacing the default 'Permission "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"denied' message."
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"pam_account_locked_message = Account locked, please contact help desk.\n"
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozekmsgid "pam_cert_auth (bool)"
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"Enable certificate based Smartcard authentication. Since this requires "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"additional communication with the Smartcard which will delay the "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"authentication process this option is disabled by default."
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd.conf.5.xml:1335 sssd.conf.5.xml:2875 sssd-ldap.5.xml:1087
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd-ldap.5.xml:1114 sssd-ldap.5.xml:1514 sssd-ldap.5.xml:1535
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd-ldap.5.xml:2041 include/ldap_id_mapping.xml:244
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozekmsgid "Default: False"
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozekmsgid "pam_cert_db_path (string)"
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"The path to the certificate database which contain the PKCS#11 modules to "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"access the Smartcard."
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozekmsgid "Default: /etc/pki/nssdb (NSS version)"
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozekmsgid "p11_child_timeout (integer)"
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozekmsgid "How many seconds will pam_sss wait for p11_child to finish."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "pam_app_services (string)"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"Which PAM services are permitted to contact domains of type "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"<quote>application</quote>"
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "SUDO configuration options"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para>
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek"These options can be used to configure the sudo service. The detailed "
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek"instructions for configuration of <citerefentry> <refentrytitle>sudo</"
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> to work with "
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek"</citerefentry> are in the manual page <citerefentry> <refentrytitle>sssd-"
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek"sudo</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "sudo_timed (bool)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"that implement time-dependent sudoers entries."
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "sudo_threshold (integer)"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"Maximum number of expired rules that can be refreshed at once. If number of "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"expired rules is below threshold, those rules are refreshed with "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"<quote>rules refresh</quote> mechanism. If the threshold is exceeded a "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"<quote>full refresh</quote> of sudo rules is triggered instead. This "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"threshold number also applies to IPA sudo command and command group searches."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "AUTOFS configuration options"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "These options can be used to configure the autofs service."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "autofs_negative_timeout (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies for how many seconds should the autofs responder negative cache "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"hits (that is, queries for invalid map entries, like nonexistent ones) "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"before asking the back end again."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "SSH configuration options"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "These options can be used to configure the SSH service."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ssh_hash_known_hosts (bool)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Whether or not to hash host names and addresses in the managed known_hosts "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozekmsgid "ssh_known_hosts_timeout (integer)"
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"How many seconds to keep a host in the managed known_hosts file after its "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"host keys were requested."
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozekmsgid "Default: 180"
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozekmsgid "ca_db (string)"
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek"Path to a storage of trusted CA certificates. The option is used to validate "
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek"user certificates before deriving public ssh keys from them."
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozekmsgid "Default: /etc/pki/nssdb"
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "PAC responder configuration options"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The PAC responder works together with the authorization data plugin for MIT "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"PAC data during a GSSAPI authentication to the PAC responder. The sub-domain "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"provider collects domain SID and ID ranges of the domain the client is "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"joined to and of remote trusted domains from the local domain controller. If "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"the PAC is decoded and evaluated some of the following operations are done:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"If the remote user does not exist in the cache, it is created. The UID is "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"determined with the help of the SID, trusted domains will have UPGs and the "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"GID will have the same value as the UID. The home directory is set based on "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"the subdomain_homedir parameter. The shell will be empty by default, i.e. "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"the system defaults are used, but can be overwritten with the default_shell "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"If there are SIDs of groups from domains sssd knows about, the user will be "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"added to those groups."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "These options can be used to configure the PAC responder."
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "allowed_uids (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies the comma-separated list of UID values or user names that are "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"allowed to access the PAC responder. User names are resolved to UIDs at "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: 0 (only the root user is allowed to access the PAC responder)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Please note that although the UID 0 is used as the default it will be "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"overwritten with this option. If you still want to allow the root user to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"access the PAC responder, which would be the typical case, you have to add 0 "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"to the list of allowed UIDs as well."
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozekmsgid "pac_lifetime (integer)"
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"data can be used to determine the group memberships of a user."
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><title>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "Session recording configuration options"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"Session recording works in conjunction with <citerefentry> "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"citerefentry>, a part of tlog package, to log what users see and type when "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"they log in on a text terminal. See also <citerefentry> <refentrytitle>sssd-"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"session-recording</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>."
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "These options can be used to configure session recording."
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd.conf.5.xml:1593 sssd-session-recording.5.xml:64
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "scope (string)"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd.conf.5.xml:1600 sssd-session-recording.5.xml:71
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "\"none\""
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd.conf.5.xml:1603 sssd-session-recording.5.xml:74
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "No users are recorded."
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd.conf.5.xml:1608 sssd-session-recording.5.xml:79
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "\"some\""
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd.conf.5.xml:1611 sssd-session-recording.5.xml:82
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"Users/groups specified by <replaceable>users</replaceable> and "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"<replaceable>groups</replaceable> options are recorded."
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd.conf.5.xml:1620 sssd-session-recording.5.xml:91
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "\"all\""
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd.conf.5.xml:1623 sssd-session-recording.5.xml:94
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "All users are recorded."
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd.conf.5.xml:1596 sssd-session-recording.5.xml:67
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"One of the following strings specifying the scope of session recording: "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"<placeholder type=\"variablelist\" id=\"0\"/>"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd.conf.5.xml:1630 sssd-session-recording.5.xml:101
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "Default: \"none\""
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd.conf.5.xml:1635 sssd-session-recording.5.xml:106
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "users (string)"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd.conf.5.xml:1638 sssd-session-recording.5.xml:109
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"A comma-separated list of users which should have session recording enabled. "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"Matches user names as returned by NSS. I.e. after the possible space "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"replacement, case changes, etc."
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd.conf.5.xml:1644 sssd-session-recording.5.xml:115
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "Default: Empty. Matches no users."
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd.conf.5.xml:1649 sssd-session-recording.5.xml:120
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "groups (string)"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd.conf.5.xml:1652 sssd-session-recording.5.xml:123
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"A comma-separated list of groups, members of which should have session "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"recording enabled. Matches group names as returned by NSS. I.e. after the "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"possible space replacement, case changes, etc."
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd.conf.5.xml:1658 sssd-session-recording.5.xml:129
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"NOTE: using this option (having it set to anything) has a considerable "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"performance cost, because each uncached request for a user requires "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"retrieving and matching the groups the user is member of."
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd.conf.5.xml:1665 sssd-session-recording.5.xml:136
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "Default: Empty. Matches no groups."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "DOMAIN SECTIONS"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "domain_type (string)"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"Specifies whether the domain is meant to be used by POSIX-aware clients such "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"as the Name Service Switch or by applications that do not need POSIX data to "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"be present or generated. Only objects from POSIX domains are available to "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"the operating system interfaces and utilities."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"Allowed values for this option are <quote>posix</quote> and "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"<quote>application</quote>."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"POSIX domains are reachable by all services. Application domains are only "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"reachable from the InfoPipe responder (see <citerefentry> "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"<refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</manvolnum> </"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"citerefentry>) and the PAM responder."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"NOTE: The application domains are currently well tested with "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"<quote>id_provider=ldap</quote> only."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"For an easy way to configure a non-POSIX domains, please see the "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"<quote>Application domains</quote> section."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "Default: posix"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "min_id,max_id (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"UID and GID limits for the domain. If a domain contains an entry that is "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"outside these limits, it is ignored."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"For users, this affects the primary GID limit. The user will not be returned "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"to NSS if either the UID or the primary GID is outside the range. For non-"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"primary group memberships, those that are in range will be reported as "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
d6d50c17e94dc0d3000345e8a933311c14bbb828Jakub Hrozek"These ID limits affect even saving entries to cache, not only returning them "
d6d50c17e94dc0d3000345e8a933311c14bbb828Jakub Hrozek"by name or ID."
d6d50c17e94dc0d3000345e8a933311c14bbb828Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: 1 for min_id, 0 (no limit) for max_id"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "enumerate (bool)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"Determines if a domain can be enumerated, that is, whether the domain can "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"list all the users and group it contains. Note that it is not required to "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"enable enumeration in order for secondary groups to be displayed. This "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"parameter can have one of the following values:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "TRUE = Users and groups are enumerated"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "FALSE = No enumerations for this domain"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd.conf.5.xml:1761 sssd.conf.5.xml:1983 sssd.conf.5.xml:2150
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: FALSE"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"Enumerating a domain requires SSSD to download and store ALL user and group "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"entries from the remote server."
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Note: Enabling enumeration has a moderate performance impact on SSSD while "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"enumeration is running. It may take up to several minutes after SSSD startup "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"to fully complete enumerations. During this time, individual requests for "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"information will go directly to LDAP, though it may be slow, due to the "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"heavy enumeration processing. Saving a large number of entries to cache "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"after the enumeration completes might also be CPU intensive as the "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"memberships have to be recomputed. This can lead to the <quote>sssd_be</"
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"quote> process becoming unresponsive or even restarted by the internal "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"While the first enumeration is running, requests for the complete user or "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"group lists may return no results until it completes."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Further, enabling enumeration may increase the time necessary to detect "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"network disconnection, as longer timeouts are required to ensure that "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"enumeration lookups are completed successfully. For more information, refer "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"to the man pages for the specific id_provider in use."
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"For the reasons cited above, enabling enumeration is not recommended, "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"especially in large environments."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
a9228ebcce14888b3123bdf46e610e0900bcd2ccJakub Hrozekmsgid "subdomain_enumerate (string)"
a9228ebcce14888b3123bdf46e610e0900bcd2ccJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
a9228ebcce14888b3123bdf46e610e0900bcd2ccJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
a9228ebcce14888b3123bdf46e610e0900bcd2ccJakub Hrozekmsgid "All discovered trusted domains will be enumerated"
a9228ebcce14888b3123bdf46e610e0900bcd2ccJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
a9228ebcce14888b3123bdf46e610e0900bcd2ccJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
a9228ebcce14888b3123bdf46e610e0900bcd2ccJakub Hrozekmsgid "No discovered trusted domains will be enumerated"
a9228ebcce14888b3123bdf46e610e0900bcd2ccJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a9228ebcce14888b3123bdf46e610e0900bcd2ccJakub Hrozek"Whether any of autodetected trusted domains should be enumerated. The "
a9228ebcce14888b3123bdf46e610e0900bcd2ccJakub Hrozek"supported values are: <placeholder type=\"variablelist\" id=\"0\"/> "
a9228ebcce14888b3123bdf46e610e0900bcd2ccJakub Hrozek"Optionally, a list of one or more domain names can enable enumeration just "
a9228ebcce14888b3123bdf46e610e0900bcd2ccJakub Hrozek"for these trusted domains."
a9228ebcce14888b3123bdf46e610e0900bcd2ccJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "entry_cache_timeout (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"How many seconds should nss_sss consider entries valid before asking the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"backend again"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"The cache expiration timestamps are stored as attributes of individual "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"objects in the cache. Therefore, changing the cache timeout only has effect "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"for newly added or expired entries. You should run the <citerefentry> "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> </"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"citerefentry> tool in order to force refresh of entries that have already "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"been cached."
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: 5400"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "entry_cache_user_timeout (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"How many seconds should nss_sss consider user entries valid before asking "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"the backend again"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd.conf.5.xml:1864 sssd.conf.5.xml:1877 sssd.conf.5.xml:1890
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd.conf.5.xml:1903 sssd.conf.5.xml:1916 sssd.conf.5.xml:1930
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: entry_cache_timeout"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "entry_cache_group_timeout (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"How many seconds should nss_sss consider group entries valid before asking "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"the backend again"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "entry_cache_netgroup_timeout (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"How many seconds should nss_sss consider netgroup entries valid before "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"asking the backend again"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "entry_cache_service_timeout (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"How many seconds should nss_sss consider service entries valid before asking "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"the backend again"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "entry_cache_sudo_timeout (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"How many seconds should sudo consider rules valid before asking the backend "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozekmsgid "entry_cache_autofs_timeout (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"How many seconds should the autofs service consider automounter maps valid "
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"before asking the backend again"
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "entry_cache_ssh_host_timeout (integer)"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"How many seconds to keep a host ssh key after refresh. IE how long to cache "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"the host key for."
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozekmsgid "refresh_expired_interval (integer)"
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek"Specifies how many seconds SSSD has to wait before triggering a background "
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek"refresh task which will refresh all expired or nearly expired records."
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"The background refresh will process users, groups and netgroups in the cache."
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozekmsgid "You can consider setting this value to 3/4 * entry_cache_timeout."
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd.conf.5.xml:1966 sssd-ldap.5.xml:746 sssd-ipa.5.xml:254
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozekmsgid "Default: 0 (disabled)"
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozekmsgid "cache_credentials (bool)"
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Determines if user credentials are also cached in the local LDB cache"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "User credentials are stored in a SHA512 hash, not in plaintext"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozekmsgid "cache_credentials_minimal_first_factor_length (int)"
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"If 2-Factor-Authentication (2FA) is used and credentials should be saved "
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek"this value determines the minimal length the first authentication factor "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"(long term password) must have to be saved as SHA512 hash into the cache."
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"This should avoid that the short PINs of a PIN based 2FA scheme are saved in "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"the cache which would make them easy targets for brute-force attacks."
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozekmsgid "Default: 8"
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "account_cache_expiration (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Number of days entries are left in cache after last successful login before "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"being removed during a cleanup of the cache. 0 means keep forever. The "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"value of this parameter must be greater than or equal to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"offline_credentials_expiration."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: 0 (unlimited)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "pwd_expiration_warning (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Please note that the backend server has to provide information about the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"expiration time of the password. If this information is missing, sssd "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"cannot display a warning. Also an auth provider has to be configured for the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: 7 (Kerberos), 0 (LDAP)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "id_provider (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"The identification provider used for the domain. Supported ID providers are:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozekmsgid "<quote>proxy</quote>: Support a legacy NSS provider"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "<quote>local</quote>: SSSD internal provider for local users"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"information on configuring LDAP."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd.conf.5.xml:2071 sssd.conf.5.xml:2176 sssd.conf.5.xml:2231
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd.conf.5.xml:2080 sssd.conf.5.xml:2185 sssd.conf.5.xml:2240
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<quote>ad</quote>: Active Directory provider. See <citerefentry> "
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"citerefentry> for more information on configuring Active Directory."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "use_fully_qualified_names (bool)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Use the full name and domain (as formatted by the domain's full_name_format) "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"as the user's login name reported to NSS."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If set to TRUE, all requests to this domain must use fully qualified names. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"For example, if used in LOCAL domain that contains a \"test\" user, "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>getent passwd test</command> wouldn't find the user while "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>getent passwd test@LOCAL</command> would."
a9228ebcce14888b3123bdf46e610e0900bcd2ccJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a9228ebcce14888b3123bdf46e610e0900bcd2ccJakub Hrozek"NOTE: This option has no effect on netgroup lookups due to their tendency to "
a9228ebcce14888b3123bdf46e610e0900bcd2ccJakub Hrozek"include nested netgroups without qualified names. For netgroups, all domains "
a9228ebcce14888b3123bdf46e610e0900bcd2ccJakub Hrozek"will be searched when an unqualified name is requested."
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozekmsgid "Default: FALSE (TRUE if default_domain_suffix is used)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozekmsgid "ignore_group_members (bool)"
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozekmsgid "Do not return group members for group lookups."
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"If set to TRUE, the group membership attribute is not requested from the "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"ldap server, and group members are not returned when processing group lookup "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"calls, such as <citerefentry> <refentrytitle>getgrnam</refentrytitle> "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"<manvolnum>3</manvolnum> </citerefentry> or <citerefentry> "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"<refentrytitle>getgrgid</refentrytitle> <manvolnum>3</manvolnum> </"
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"citerefentry>. As an effect, <quote>getent group $groupname</quote> would "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"return the requested group as if it was empty."
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"Enabling this option can also make access provider checks for group "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"membership significantly faster, especially for groups containing many "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "auth_provider (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The authentication provider used for the domain. Supported auth providers "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"citerefentry> for more information on configuring LDAP."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"citerefentry> for more information on configuring Kerberos."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<quote>proxy</quote> for relaying authentication to some other PAM target."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<quote>none</quote> disables authentication explicitly."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Default: <quote>id_provider</quote> is used if it is set and can handle "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"authentication requests."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "access_provider (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The access control provider used for the domain. There are two built-in "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"access providers (in addition to any included in installed backends) "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Internal special providers are:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<quote>permit</quote> always allow access. It's the only permitted access "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"provider for a local domain."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<quote>deny</quote> always deny access."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<quote>simple</quote> access control based on access or deny lists. See "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"manvolnum></citerefentry> for more information on configuring the simple "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"access module."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"<quote>krb5</quote>: .k5login based access control. See <citerefentry> "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></"
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"citerefentry> for more information on configuring Kerberos."
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozekmsgid "<quote>proxy</quote> for relaying access control to another PAM module."
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: <quote>permit</quote>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "chpass_provider (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The provider which should handle change password operations for the domain. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Supported change password providers are:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"<quote>ldap</quote> to change a password stored in a LDAP server. See "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"manvolnum> </citerefentry> for more information on configuring LDAP."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"citerefentry> for more information on configuring Kerberos."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<quote>proxy</quote> for relaying password changes to some other PAM target."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<quote>none</quote> disallows password changes explicitly."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Default: <quote>auth_provider</quote> is used if it is set and can handle "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"change password requests."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "sudo_provider (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The SUDO provider used for the domain. Supported SUDO providers are:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"citerefentry> for more information on configuring LDAP."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"<quote>ad</quote> the same as <quote>ldap</quote> but with AD default "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<quote>none</quote> disables SUDO explicitly."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd.conf.5.xml:2351 sssd.conf.5.xml:2437 sssd.conf.5.xml:2507
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: The value of <quote>id_provider</quote> is used if it is set."
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek"The detailed instructions for configuration of sudo_provider are in the "
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek"<manvolnum>5</manvolnum> </citerefentry>. There are many configuration "
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek"options that can be used to adjust the behavior. Please refer to "
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek"\"ldap_sudo_*\" in <citerefentry> <refentrytitle>sssd-ldap</refentrytitle> "
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek"<manvolnum>5</manvolnum> </citerefentry>."
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"background unless the sudo provider is explicitly disabled. Set "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"<emphasis>sudo_provider = None</emphasis> to disable all sudo-related "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"activity in SSSD if you do not want to use sudo with SSSD at all."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "selinux_provider (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"The provider which should handle loading of selinux settings. Note that this "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"provider will be called right after access provider ends. Supported selinux "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"providers are:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<quote>ipa</quote> to load selinux settings from an IPA server. See "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"manvolnum> </citerefentry> for more information on configuring IPA."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "<quote>none</quote> disallows fetching selinux settings explicitly."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Default: <quote>id_provider</quote> is used if it is set and can handle "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"selinux loading requests."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "subdomains_provider (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"The provider which should handle fetching of subdomains. This value should "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"be always the same as id_provider. Supported subdomain providers are:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"manvolnum> </citerefentry> for more information on configuring IPA."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek"<quote>ad</quote> to load a list of subdomains from an Active Directory "
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek"server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> "
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring "
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek"the AD provider."
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<quote>none</quote> disallows fetching subdomains explicitly."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "session_provider (string)"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"The provider which configures and manages user session related tasks. The "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"only user session task currently provided is the integration with Fleet "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"Commander, which works only with IPA. Supported session providers are:"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "<quote>ipa</quote> to allow performing user session related tasks."
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"<quote>none</quote> does not perform any kind of user session related tasks."
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"Default: <quote>id_provider</quote> is used if it is set and can perform "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"session related tasks."
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"<emphasis>NOTE:</emphasis> In order to have this feature working as expected "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"SSSD must be running as \"root\" and not as the unprivileged user."
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "autofs_provider (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The autofs provider used for the domain. Supported autofs providers are:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"citerefentry> for more information on configuring LDAP."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"citerefentry> for more information on configuring IPA."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"citerefentry> for more information on configuring the AD provider."
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<quote>none</quote> disables autofs explicitly."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "hostid_provider (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The provider used for retrieving host identity information. Supported "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"hostid providers are:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<quote>ipa</quote> to load host identity stored in an IPA server. See "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"manvolnum> </citerefentry> for more information on configuring IPA."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<quote>none</quote> disables hostid explicitly."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Regular expression for this domain that describes how to parse the string "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"containing user name and domain into these components. The \"domain\" can "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"match either the SSSD configuration domain name, or, in the case of IPA "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"trust subdomains and Active Directory domains, the flat (NetBIOS) name of "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"the domain."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"Default for the AD and IPA provider: <quote>(((?P<domain>[^\\\\]+)\\"
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?"
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"P<name>[^@\\\\]+)$))</quote> which allows three different styles for "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"user names:"
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozekmsgid "username"
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozekmsgid "username@domain.name"
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozekmsgid "domain\\username"
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"While the first two correspond to the general default the third one is "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"introduced to allow easy integration of users from Windows domains."
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Default: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"which translates to \"the name is everything up to the <quote>@</quote> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"sign, the domain everything after that\""
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"PLEASE NOTE: the support for non-unique named subpatterns is not available "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"on all platforms (e.g. RHEL5 and SLES10). Only platforms with libpcre "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"version 7 or higher can support non-unique named subpatterns."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"PLEASE NOTE ALSO: older version of libpcre only support the Python syntax (?"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"P<name>) to label subpatterns."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: <quote>%1$s@%2$s</quote>."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "lookup_family_order (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Provides the ability to select preferred address family to use when "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"performing DNS lookups."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Supported values:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: ipv4_first"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "dns_resolver_timeout (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"Defines the amount of time (in seconds) to wait for a reply from the "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"internal fail over service before assuming that the service is unreachable. "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"If this timeout is reached, the domain will continue to operate in offline "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"Please see the section <quote>FAILOVER</quote> for more information about "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"the service resolution."
d6d50c17e94dc0d3000345e8a933311c14bbb828Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd.conf.5.xml:2679 sssd-ldap.5.xml:1396 sssd-ldap.5.xml:1438
d6d50c17e94dc0d3000345e8a933311c14bbb828Jakub Hrozekmsgid "Default: 6"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "dns_discovery_domain (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If service discovery is used in the back end, specifies the domain part of "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"the service discovery DNS query."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: Use the domain part of machine's hostname"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "override_gid (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Override the primary GID value with the one specified."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "case_sensitive (string)"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "Case sensitive. This value is invalid for AD provider."
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "False"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "Case insensitive."
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "Preserving"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek"Same as False (case insensitive), but does not lowercase names in the result "
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek"of NSS operations. Note that name aliases (and in case of services also "
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek"protocol names) are still lowercased in the output."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Treat user and group names as case sensitive. At the moment, this option is "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"not supported in the local provider. Possible option values are: "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"<placeholder type=\"variablelist\" id=\"0\"/>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "Default: True (False for AD provider)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozekmsgid "subdomain_inherit (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"Specifies a list of configuration parameters that should be inherited by a "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"subdomain. Please note that only selected parameters can be inherited. "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"Currently the following options can be inherited:"
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozekmsgid "ignore_group_members"
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozekmsgid "ldap_purge_cache_timeout"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozekmsgid "ldap_use_tokengroups"
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozekmsgid "ldap_user_principal"
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"is not set explicitly)"
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"subdomain_inherit = ldap_purge_cache_timeout\n"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozekmsgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>"
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozekmsgid "Note: This option only works with the IPA and AD provider."
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "subdomain_homedir (string)"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozekmsgid "flat (NetBIOS) name of a subdomain."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"Use this homedir as default value for all subdomains within this domain in "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"IPA AD trust. See <emphasis>override_homedir</emphasis> for info about "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"possible values. In addition to those, the expansion below can only be used "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"with <emphasis>subdomain_homedir</emphasis>. <placeholder type="
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"\"variablelist\" id=\"0\"/>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The value can be overridden by <emphasis>override_homedir</emphasis> option."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: <filename>/home/%d/%u</filename>"
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozekmsgid "realmd_tags (string)"
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"Various tags stored by the realmd configuration service for this domain."
531661c7bb54eb71853977a64cb30f80c20b963eJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
531661c7bb54eb71853977a64cb30f80c20b963eJakub Hrozekmsgid "cached_auth_timeout (int)"
531661c7bb54eb71853977a64cb30f80c20b963eJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
531661c7bb54eb71853977a64cb30f80c20b963eJakub Hrozek"Specifies time in seconds since last successful online authentication for "
531661c7bb54eb71853977a64cb30f80c20b963eJakub Hrozek"which user will be authenticated using cached credentials while SSSD is in "
531661c7bb54eb71853977a64cb30f80c20b963eJakub Hrozek"the online mode."
531661c7bb54eb71853977a64cb30f80c20b963eJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
531661c7bb54eb71853977a64cb30f80c20b963eJakub Hrozekmsgid "Special value 0 implies that this feature is disabled."
531661c7bb54eb71853977a64cb30f80c20b963eJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
531661c7bb54eb71853977a64cb30f80c20b963eJakub Hrozek"Please note that if <quote>cached_auth_timeout</quote> is longer than "
531661c7bb54eb71853977a64cb30f80c20b963eJakub Hrozek"<quote>pam_id_timeout</quote> then the back end could be called to handle "
531661c7bb54eb71853977a64cb30f80c20b963eJakub Hrozek"<quote>initgroups.</quote>"
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozekmsgid "auto_private_groups (string)"
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"If this option is enabled, SSSD will automatically create user private "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"groups based on user's UID number. The GID number is ignored in this case."
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"For POSIX subdomains, setting the option in the main domain is inherited in "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"the subdomain."
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"For ID-mapping subdomains, auto_private_groups is already enabled for the "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"subdomains and setting it to false will not have any effect for the "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"NOTE: Because the GID number and the user private group are inferred from "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"the UID number, it is not supported to have multiple entries with the same "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"UID or GID number with this option. In other words, enabling this option "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"enforces uniqueness across the ID space."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"These configuration options can be present in a domain configuration "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"section, that is, in a section called <quote>[domain/<replaceable>NAME</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable>]</quote> <placeholder type=\"variablelist\" id=\"0\"/>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "proxy_pam_target (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The proxy target PAM proxies to."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Default: not set by default, you have to take an existing pam configuration "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"or create a new one and add the service name here."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "proxy_lib_name (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The name of the NSS library to use in proxy domains. The NSS functions "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"searched for in the library are in the form of _nss_$(libName)_$(function), "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"for example _nss_files_getpwent."
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozekmsgid "proxy_fast_alias (boolean)"
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"When a user or group is looked up by name in the proxy provider, a second "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"lookup by ID is performed to \"canonicalize\" the name in case the requested "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"name was an alias. Setting this option to true would cause the SSSD to "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"perform the ID lookup from cache for performance reasons."
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozekmsgid "proxy_max_children (integer)"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"This option specifies the number of pre-forked proxy children. It is useful "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"for high-load SSSD environments where sssd may run out of available child "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"slots, which would cause some issues due to the requests being queued."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Options valid for proxy domains. <placeholder type=\"variablelist\" id="
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><title>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "Application domains"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"applications as a gateway to an LDAP directory where users and groups are "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"stored. However, contrary to the traditional SSSD deployment where all users "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"and groups either have POSIX attributes or those attributes can be inferred "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"from the Windows SIDs, in many cases the users and groups in the application "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"support scenario have no POSIX attributes. Instead of setting a "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"<quote>[domain/<replaceable>NAME</replaceable>]</quote> section, the "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"administrator can set up an <quote>[application/<replaceable>NAME</"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"replaceable>]</quote> section that internally represents a domain with type "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"<quote>application</quote> optionally inherits settings from a tradition "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"SSSD domain."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"Please note that the application domain must still be explicitly enabled in "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"the <quote>domains</quote> parameter so that the lookup order between the "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"application domain and its POSIX sibling domain is set correctly."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "Application domain parameters"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "inherit_from (string)"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"The SSSD POSIX-type domain the application domain inherits all settings "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"from. The application domain can moreover add its own settings to the "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"application settings that augment or override the <quote>sibling</quote> "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"domain settings."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"The following example illustrates the use of an application domain. In this "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"setup, the POSIX domain is connected to an LDAP server and is used by the OS "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"through the NSS responder. In addition, the application domain also requests "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"the telephoneNumber attribute, stores it as the phone attribute in the cache "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"and makes the phone attribute reachable through the D-Bus interface."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><programlisting>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"domains = appdom, posixdom\n"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"user_attributes = +phone\n"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"id_provider = ldap\n"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"ldap_uri = ldap://ldap.example.com\n"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"ldap_search_base = dc=example,dc=com\n"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"inherit_from = posixdom\n"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"ldap_user_extra_attrs = phone:telephoneNumber\n"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The local domain section"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This section contains settings for domain that stores users and groups in "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"SSSD native database, that is, a domain that uses "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<replaceable>id_provider=local</replaceable>."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "default_shell (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The default shell for users created with SSSD userspace tools."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: <filename>/bin/bash</filename>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "base_directory (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The tools append the login name to <replaceable>base_directory</replaceable> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"and use that as the home directory."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: <filename>/home</filename>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "create_homedir (bool)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Indicate if a home directory should be created by default for new users. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Can be overridden on command line."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: TRUE"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "remove_homedir (bool)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Indicate if a home directory should be removed by default for deleted "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"users. Can be overridden on command line."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "homedir_umask (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"on a newly created home directory."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: 077"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "skel_dir (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The skeleton directory, which contains files and directories to be copied in "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"the user's home directory, when the home directory is created by "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<citerefentry> <refentrytitle>sss_useradd</refentrytitle> <manvolnum>8</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"manvolnum> </citerefentry>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: <filename>/etc/skel</filename>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "mail_dir (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The mail spool directory. This is needed to manipulate the mailbox when its "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"corresponding user account is modified or deleted. If not specified, a "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"default value is used."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: <filename>/var/mail</filename>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "userdel_cmd (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The command that is run after a user is removed. The command us passed the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"username of the user being removed as the first and only parameter. The "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"return code of the command is not taken into account."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: None, no command is run"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
4c9419d98b89a6161a3dde11f9f80be39d12e72aJakub Hrozekmsgid "TRUSTED DOMAIN SECTION"
4c9419d98b89a6161a3dde11f9f80be39d12e72aJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
4c9419d98b89a6161a3dde11f9f80be39d12e72aJakub Hrozek"Some options used in the domain section can also be used in the trusted "
4c9419d98b89a6161a3dde11f9f80be39d12e72aJakub Hrozek"domain section, that is, in a section called <quote>[domain/"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"<replaceable>DOMAIN_NAME</replaceable>/<replaceable>TRUSTED_DOMAIN_NAME</"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"replaceable>]</quote>. Where DOMAIN_NAME is the actual joined-to base "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"domain. Please refer to examples below for explanation. Currently supported "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"options in the trusted domain section are:"
4c9419d98b89a6161a3dde11f9f80be39d12e72aJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
4c9419d98b89a6161a3dde11f9f80be39d12e72aJakub Hrozekmsgid "ldap_search_base,"
4c9419d98b89a6161a3dde11f9f80be39d12e72aJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
4c9419d98b89a6161a3dde11f9f80be39d12e72aJakub Hrozekmsgid "ldap_user_search_base,"
4c9419d98b89a6161a3dde11f9f80be39d12e72aJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
4c9419d98b89a6161a3dde11f9f80be39d12e72aJakub Hrozekmsgid "ldap_group_search_base,"
4c9419d98b89a6161a3dde11f9f80be39d12e72aJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
4c9419d98b89a6161a3dde11f9f80be39d12e72aJakub Hrozekmsgid "ldap_netgroup_search_base,"
4c9419d98b89a6161a3dde11f9f80be39d12e72aJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
4c9419d98b89a6161a3dde11f9f80be39d12e72aJakub Hrozekmsgid "ldap_service_search_base,"
4c9419d98b89a6161a3dde11f9f80be39d12e72aJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
4c9419d98b89a6161a3dde11f9f80be39d12e72aJakub Hrozekmsgid "ad_server,"
4c9419d98b89a6161a3dde11f9f80be39d12e72aJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
4c9419d98b89a6161a3dde11f9f80be39d12e72aJakub Hrozekmsgid "ad_backup_server,"
4c9419d98b89a6161a3dde11f9f80be39d12e72aJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "ad_site,"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "use_fully_qualified_names"
4c9419d98b89a6161a3dde11f9f80be39d12e72aJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
4c9419d98b89a6161a3dde11f9f80be39d12e72aJakub Hrozek"For more details about these options see their individual description in the "
4c9419d98b89a6161a3dde11f9f80be39d12e72aJakub Hrozek"manual page."
4c9419d98b89a6161a3dde11f9f80be39d12e72aJakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "EXAMPLES"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><programlisting>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"domains = LDAP\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"services = nss, pam\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"config_file_version = 2\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"filter_groups = root\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"filter_users = root\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"id_provider = ldap\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"ldap_uri = ldap://ldap.example.com\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"ldap_search_base = dc=example,dc=com\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"auth_provider = krb5\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"krb5_server = kerberos.example.com\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"krb5_realm = EXAMPLE.COM\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"cache_credentials = true\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"min_id = 10000\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"max_id = 20000\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"enumerate = False\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"1. The following example shows a typical SSSD config. It does not describe "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"configuration of the domains themselves - refer to documentation on "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"configuring domains for more details. <placeholder type=\"programlisting\" "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><programlisting>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"use_fully_qualified_names = false\n"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"2. The following example shows configuration of IPA AD trust where the AD "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"forest consists of two domains in a parent-child structure. Suppose IPA "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"domain (ipa.com) has trust with AD domain(ad.com). ad.com has child domain "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"(child.ad.com). To enable shortnames in the child domain the following "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"configuration should be used. <placeholder type=\"programlisting\" id=\"0\"/"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "sssd-ldap"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "SSSD LDAP provider"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This manual page describes the configuration of LDAP domains for "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"</citerefentry>. Refer to the <quote>FILE FORMAT</quote> section of the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"manvolnum> </citerefentry> manual page for detailed syntax information."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "You can configure SSSD to use more than one LDAP domain."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"LDAP back end supports id, auth, access and chpass providers. If you want to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"authenticate against an LDAP server either TLS/SSL or LDAPS is required. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sssd</command> <emphasis>does not</emphasis> support authentication "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"over an unencrypted channel. If the LDAP server is used only as an identity "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"provider, an encrypted channel is not needed. Please refer to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<quote>ldap_access_filter</quote> config option for more information about "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"using LDAP as an access provider."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:81 sssd-ad.5.xml:112
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek#: sssd-krb5.5.xml:63 sssd-ifp.5.xml:44 sssd-files.5.xml:57
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#: sssd-secrets.5.xml:120 sssd-session-recording.5.xml:58 sssd-kcm.8.xml:139
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "CONFIGURATION OPTIONS"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "ldap_uri, ldap_backup_uri (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"should connect in the order of preference. Refer to the <quote>FAILOVER</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"quote> section for more information on failover and server redundancy. If "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"neither option is specified, service discovery is enabled. For more "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The format of the URI must match the format defined in RFC 2732:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap[s]://<host>[:port]"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"For explicit IPv6 addresses, <host> must be enclosed in brackets []"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "example: ldap://[fc00::126:25]:389"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "ldap_chpass_uri, ldap_chpass_backup_uri (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"should connect in the order of preference to change the password of a user. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Refer to the <quote>FAILOVER</quote> section for more information on "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"failover and server redundancy."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "To enable service discovery ldap_chpass_dns_service_name must be set."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: empty, i.e. ldap_uri is used."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_search_base (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The default base DN to use for performing LDAP user operations."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Starting with SSSD 1.7.0, SSSD supports multiple search bases using the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The scope can be one of \"base\", \"onelevel\" or \"subtree\"."
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#: sssd-ldap.5.xml:122 include/ldap_search_bases.xml:18
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The filter must be a valid LDAP search filter as specified by http://www."
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd-ldap.5.xml:126 sssd-ldap.5.xml:662 sssd-ad.5.xml:283
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#: sss_override.8.xml:137 sss_override.8.xml:234
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Examples:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"ldap_search_base = dc=example,dc=com (which is equivalent to) "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"ldap_search_base = dc=example,dc=com?subtree?"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"ldap_search_base = cn=host_specific,dc=example,dc=com?subtree?"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"(host=thishost)?dc=example.com?subtree?"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Note: It is unsupported to have multiple search bases which reference "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"identically-named objects (for example, groups with the same name in two "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"different search bases). This will lead to unpredictable behavior on client "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Default: If not set, the value of the defaultNamingContext or namingContexts "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"attribute from the RootDSE of the LDAP server is used. If "
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"defaultNamingContext does not exist or has an empty value namingContexts is "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"used. The namingContexts attribute must have a single value with the DN of "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"the search base of the LDAP server to make this work. Multiple values are "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"are not supported."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_schema (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies the Schema Type in use on the target LDAP server. Depending on "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"the selected schema, the default attribute names retrieved from the servers "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"may vary. The way that some attributes are handled may also differ."
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozekmsgid "Four schema types are currently supported:"
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozekmsgid "rfc2307"
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozekmsgid "rfc2307bis"
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"The main difference between these schema types is how group memberships are "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"recorded in the server. With rfc2307, group members are listed by name in "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"the <emphasis>memberUid</emphasis> attribute. With rfc2307bis and IPA, "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"group members are listed by DN and stored in the <emphasis>member</emphasis> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"attribute. The AD schema type sets the attributes to correspond with Active "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Directory 2008r2 values."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: rfc2307"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_default_bind_dn (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The default bind DN to use for performing LDAP operations."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_default_authtok_type (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The type of the authentication token of the default bind DN."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The two mechanisms currently supported are:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "password"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "obfuscated_password"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: password"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_default_authtok (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The authentication token of the default bind DN. Only clear text passwords "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"are currently supported."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_object_class (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The object class of a user entry in LDAP."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: posixAccount"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_name (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The LDAP attribute that corresponds to the user's login name."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozekmsgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_uid_number (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The LDAP attribute that corresponds to the user's id."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: uidNumber"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_gid_number (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The LDAP attribute that corresponds to the user's primary group id."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: gidNumber"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozekmsgid "ldap_user_primary_group (string)"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"Active Directory primary group attribute for ID-mapping. Note that this "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"attribute should only be set manually if you are running the <quote>ldap</"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"quote> provider with ID mapping."
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozekmsgid "Default: unset (LDAP), primaryGroupID (AD)"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_gecos (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The LDAP attribute that corresponds to the user's gecos field."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: gecos"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_home_directory (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The LDAP attribute that contains the name of the user's home directory."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: homeDirectory"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_shell (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The LDAP attribute that contains the path to the user's default shell."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: loginShell"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozekmsgid "ldap_user_uuid (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozekmsgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object."
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek"Default: not set in the general case, objectGUID for AD and ipaUniqueID for "
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozekmsgid "ldap_user_objectsid (string)"
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The LDAP attribute that contains the objectSID of an LDAP user object. This "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"is usually only necessary for ActiveDirectory servers."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozekmsgid "Default: objectSid for ActiveDirectory, not set for other servers."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_modify_timestamp (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd-ldap.5.xml:389 sssd-ldap.5.xml:980 sssd-ldap.5.xml:1203
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The LDAP attribute that contains timestamp of the last modification of the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"parent object."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd-ldap.5.xml:393 sssd-ldap.5.xml:984 sssd-ldap.5.xml:1210
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: modifyTimestamp"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_shadow_last_change (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"the last password change)."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: shadowLastChange"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_shadow_min (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"password age)."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: shadowMin"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_shadow_max (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"password age)."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: shadowMax"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_shadow_warning (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"(password warning period)."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: shadowWarning"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_shadow_inactive (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"(password inactivity period)."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: shadowInactive"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_shadow_expire (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"parameter contains the name of an LDAP attribute corresponding to its "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"manvolnum> </citerefentry> counterpart (account expiration date)."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: shadowExpire"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_krb_last_pwd_change (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"an LDAP attribute storing the date and time of last password change in "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: krbLastPwdChange"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_krb_password_expiration (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"an LDAP attribute storing the date and time when current password expires."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: krbPasswordExpiration"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_ad_account_expires (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"When using ldap_account_expire_policy=ad, this parameter contains the name "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"of an LDAP attribute storing the expiration time of the account."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: accountExpires"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_ad_user_account_control (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"When using ldap_account_expire_policy=ad, this parameter contains the name "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"of an LDAP attribute storing the user account control bit field."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: userAccountControl"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_ns_account_lock (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"When using ldap_account_expire_policy=rhds or equivalent, this parameter "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"determines if access is allowed or not."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: nsAccountLock"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_nds_login_disabled (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"When using ldap_account_expire_policy=nds, this attribute determines if "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"access is allowed or not."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: loginDisabled"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_nds_login_expiration_time (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"When using ldap_account_expire_policy=nds, this attribute determines until "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"which date access is granted."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_nds_login_allowed_time_map (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"When using ldap_account_expire_policy=nds, this attribute determines the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"hours of a day in a week when access is granted."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: loginAllowedTimeMap"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_principal (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The LDAP attribute that contains the user's Kerberos User Principal Name "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: krbPrincipalName"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "ldap_user_extra_attrs (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"Comma-separated list of LDAP attributes that SSSD would fetch along with the "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"usual set of user attributes."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"The list can either contain LDAP attribute names only, or colon-separated "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"tuples of SSSD cache attribute name and LDAP attribute name. In case only "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"LDAP attribute name is specified, the attribute is saved to the cache "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"verbatim. Using a custom SSSD attribute name might be required by "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"environments that configure several SSSD domains with different LDAP schemas."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"Please note that several attribute names are reserved by SSSD, notably the "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"<quote>name</quote> attribute. SSSD would report an error if any of the "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"reserved attribute names is used as an extra attribute name."
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "ldap_user_extra_attrs = telephoneNumber"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"Save the <quote>telephoneNumber</quote> attribute from LDAP as "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"<quote>telephoneNumber</quote> to the cache."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "ldap_user_extra_attrs = phone:telephoneNumber"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"quote> to the cache."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "ldap_user_ssh_public_key (string)"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "The LDAP attribute that contains the user's SSH public keys."
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "Default: sshPublicKey"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "ldap_force_upper_case_realm (boolean)"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"Some directory servers, for example Active Directory, might deliver the "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"realm part of the UPN in lower case, which might cause the authentication to "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"fail. Set this option to a non-zero value if you want to use an upper-case "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "ldap_enumeration_refresh_timeout (integer)"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"Specifies how many seconds SSSD has to wait before refreshing its cache of "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"enumerated records."
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "ldap_purge_cache_timeout (integer)"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"Determine how often to check the cache for inactive entries (such as groups "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"with no members and users who have never logged in) and remove them to save "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"Setting this option to zero will disable the cache cleanup operation. Please "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"note that if enumeration is enabled, the cleanup task is required in order "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"to detect entries removed from the server and can't be disabled. By default, "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"the cleanup task will run every 3 hours with enumeration enabled."
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_fullname (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The LDAP attribute that corresponds to the user's full name."
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd-ldap.5.xml:759 sssd-ldap.5.xml:1161 sssd-ldap.5.xml:1235
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd-ldap.5.xml:1344 sssd-ldap.5.xml:2394 sssd-ipa.5.xml:607
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: cn"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_member_of (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The LDAP attribute that lists the user's group memberships."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: memberOf"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_authorized_service (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"use the presence of the authorizedService attribute in the user's LDAP entry "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"to determine access privilege."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"An explicit deny (!svc) is resolved first. Second, SSSD searches for "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"explicit allow (svc) and finally for allow_all (*)."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"Please note that the ldap_access_order configuration option <emphasis>must</"
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"emphasis> include <quote>authorized_service</quote> in order for the "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"ldap_user_authorized_service option to work."
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: authorizedService"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_authorized_host (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If access_provider=ldap and ldap_access_order=host, SSSD will use the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"presence of the host attribute in the user's LDAP entry to determine access "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"An explicit deny (!host) is resolved first. Second, SSSD searches for "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"explicit allow (host) and finally for allow_all (*)."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"Please note that the ldap_access_order configuration option <emphasis>must</"
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"emphasis> include <quote>host</quote> in order for the "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"ldap_user_authorized_host option to work."
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: host"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "ldap_user_authorized_rhost (string)"
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"If access_provider=ldap and ldap_access_order=rhost, SSSD will use the "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"presence of the rhost attribute in the user's LDAP entry to determine access "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"privilege. Similarly to host verification process."
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"An explicit deny (!rhost) is resolved first. Second, SSSD searches for "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"explicit allow (rhost) and finally for allow_all (*)."
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"Please note that the ldap_access_order configuration option <emphasis>must</"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"emphasis> include <quote>rhost</quote> in order for the "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"ldap_user_authorized_rhost option to work."
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "Default: rhost"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "ldap_user_certificate (string)"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozekmsgid "Name of the LDAP attribute containing the X509 certificate of the user."
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "Default: userCertificate;binary"
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
ad805face83ba7d67b1cf2067a1982c7e63d1060Jakub Hrozekmsgid "ldap_user_email (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
ad805face83ba7d67b1cf2067a1982c7e63d1060Jakub Hrozekmsgid "Name of the LDAP attribute containing the email address of the user."
ad805face83ba7d67b1cf2067a1982c7e63d1060Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"Note: If an email address of a user conflicts with an email address or fully "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"qualified name of another user, then SSSD will not be able to serve those "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"users properly. If for some reason several users need to share the same "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"email address then set this option to a nonexistent attribute name in order "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"to disable user lookup/login by email."
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
ad805face83ba7d67b1cf2067a1982c7e63d1060Jakub Hrozekmsgid "Default: mail"
ad805face83ba7d67b1cf2067a1982c7e63d1060Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
ad805face83ba7d67b1cf2067a1982c7e63d1060Jakub Hrozekmsgid "ldap_group_object_class (string)"
ad805face83ba7d67b1cf2067a1982c7e63d1060Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The object class of a group entry in LDAP."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: posixGroup"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_group_name (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The LDAP attribute that corresponds to the group name."
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozekmsgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_group_gid_number (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The LDAP attribute that corresponds to the group's id."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_group_member (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The LDAP attribute that contains the names of the group's members."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: memberuid (rfc2307) / member (rfc2307bis)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozekmsgid "ldap_group_uuid (string)"
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozekmsgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object."
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_group_objectsid (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The LDAP attribute that contains the objectSID of an LDAP group object. This "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"is usually only necessary for ActiveDirectory servers."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_group_modify_timestamp (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "ldap_group_type (integer)"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"The LDAP attribute that contains an integer value indicating the type of the "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"group and maybe other flags."
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"This attribute is currently only used by the AD provider to determine if a "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"group is a domain local groups and has to be filtered out for trusted "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "Default: groupType in the AD provider, otherwise not set"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozekmsgid "ldap_group_external_member (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"The LDAP attribute that references group members that are defined in an "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"external domain. At the moment, only IPA's external members are supported."
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozekmsgid "Default: ipaExternalMember in the IPA provider, otherwise unset."
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozekmsgid "ldap_group_nesting_level (integer)"
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If ldap_schema is set to a schema format that supports nested groups (e.g. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"RFC2307bis), then this option controls how many levels of nesting SSSD will "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"follow. This option has no effect on the RFC2307 schema."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek"Note: This option specifies the guaranteed level of nested groups to be "
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek"processed for any lookup. However, nested groups beyond this limit "
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek"<emphasis>may be</emphasis> returned if previous lookups already resolved "
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek"the deeper nesting levels. Also, subsequent lookups for other groups may "
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek"enlarge the result set for original lookup if re-queried."
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek"If ldap_group_nesting_level is set to 0 then no nested groups are processed "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"at all. However, when connected to Active-Directory Server 2008 and later "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"using <quote>id_provider=ad</quote> it is furthermore required to disable "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"usage of Token-Groups by setting ldap_use_tokengroups to false in order to "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"restrict group nesting."
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: 2"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_groups_use_matching_rule_in_chain"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This option tells SSSD to take advantage of an Active Directory-specific "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"feature which may speed up group lookup operations on deployments with "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"complex or deep nested groups."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"In most common cases, it is best to leave this option disabled. It generally "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"only provides a performance increase on very complex nestings."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If this option is enabled, SSSD will use it if it detects that the server "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"supports it during initial connection. So \"True\" here essentially means "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"\"auto-detect\"."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Note: This feature is currently known to work only with Active Directory "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"2008 R1 and later. See <ulink url=\"http://msdn.microsoft.com/en-us/library/"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"windows/desktop/aa746475%28v=vs.85%29.aspx\"> MSDN(TM) documentation</ulink> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"for more details."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_initgroups_use_matching_rule_in_chain"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This option tells SSSD to take advantage of an Active Directory-specific "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"feature which might speed up initgroups operations (most notably when "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"dealing with complex or deep nested groups)."
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek"This options enables or disables use of Token-Groups attribute when "
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek"performing initgroup for users from Active Directory Server 2008 and later."
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozekmsgid "Default: True for AD and IPA otherwise False."
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_netgroup_object_class (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The object class of a netgroup entry in LDAP."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "In IPA provider, ipa_netgroup_object_class should be used instead."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: nisNetgroup"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_netgroup_name (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The LDAP attribute that corresponds to the netgroup name."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "In IPA provider, ipa_netgroup_name should be used instead."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_netgroup_member (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The LDAP attribute that contains the names of the netgroup's members."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "In IPA provider, ipa_netgroup_member should be used instead."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: memberNisNetgroup"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_netgroup_triple (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The LDAP attribute that contains the (host, user, domain) netgroup triples."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "This option is not available in IPA provider."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: nisNetgroupTriple"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_netgroup_modify_timestamp (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozekmsgid "ldap_host_object_class (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozekmsgid "The object class of a host entry in LDAP."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: ipService"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozekmsgid "ldap_host_name (string)"
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozekmsgid "The LDAP attribute that corresponds to the host's name."
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozekmsgid "ldap_host_fqdn (string)"
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"The LDAP attribute that corresponds to the host's fully-qualified domain "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozekmsgid "Default: fqdn"
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozekmsgid "ldap_host_serverhostname (string)"
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozekmsgid "Default: serverHostname"
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozekmsgid "ldap_host_member_of (string)"
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozekmsgid "The LDAP attribute that lists the host's group memberships."
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozekmsgid "ldap_host_search_base (string)"
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozekmsgid "Optional. Use the given string as search base for host objects."
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd-ldap.5.xml:1287 sssd-ipa.5.xml:359 sssd-ipa.5.xml:378
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"See <quote>ldap_search_base</quote> for information about configuring "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"multiple search bases."
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#. type: Content of: <listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd-ldap.5.xml:1292 sssd-ipa.5.xml:364 include/ldap_search_bases.xml:27
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozekmsgid "Default: the value of <emphasis>ldap_search_base</emphasis>"
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozekmsgid "ldap_host_ssh_public_key (string)"
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozekmsgid "The LDAP attribute that contains the host's SSH public keys."
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozekmsgid "ldap_host_uuid (string)"
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozekmsgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object."
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozekmsgid "ldap_service_object_class (string)"
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozekmsgid "The object class of a service entry in LDAP."
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_service_name (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The LDAP attribute that contains the name of service attributes and their "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_service_port (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The LDAP attribute that contains the port managed by this service."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: ipServicePort"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_service_proto (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The LDAP attribute that contains the protocols understood by this service."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: ipServiceProtocol"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_service_search_base (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_search_timeout (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies the timeout (in seconds) that ldap searches are allowed to run "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"before they are cancelled and cached results are returned (and offline mode "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"is entered)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Note: this option is subject to change in future versions of the SSSD. It "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"will likely be replaced at some point by a series of timeouts for specific "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"lookup types."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_enumeration_search_timeout (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies the timeout (in seconds) that ldap searches for user and group "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"enumerations are allowed to run before they are cancelled and cached results "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"are returned (and offline mode is entered)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_network_timeout (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies the timeout (in seconds) after which the <citerefentry> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"manvolnum> </citerefentry> following a <citerefentry> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"citerefentry> returns in case of no activity."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_opt_timeout (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"will abort if no response is received. Also controls the timeout when "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"communicating with the KDC in case of SASL bind, the timeout of an LDAP bind "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"operation, password change extended operation and the StartTLS operation."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_connection_expire_timeout (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies a timeout (in seconds) that a connection to an LDAP server will be "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"maintained. After this time, the connection will be re-established. If used "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"the TGT lifetime) will be used."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: 900 (15 minutes)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_page_size (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specify the number of records to retrieve from LDAP in a single request. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Some LDAP servers enforce a maximum limit per-request."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: 1000"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_disable_paging (boolean)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Disable the LDAP paging control. This option should be used if the LDAP "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"server reports that it supports the LDAP paging control in its RootDSE but "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"it is not enabled or does not behave properly."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Example: OpenLDAP servers with the paging control module installed on the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"server but not enabled will report it in the RootDSE but be unable to use it."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Example: 389 DS has a bug where it can only support a one paging control at "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"a time on a single connection. On busy clients, this can result in some "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"requests being denied."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozekmsgid "ldap_disable_range_retrieval (boolean)"
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozekmsgid "Disable Active Directory range retrieval."
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"Active Directory limits the number of members to be retrieved in a single "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"lookup using the MaxValRange policy (which defaults to 1500 members). If a "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"group contains more members, the reply would include an AD-specific range "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"extension. This option disables parsing of the range extension, therefore "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"large groups will appear as having no members."
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_sasl_minssf (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"When communicating with an LDAP server using SASL, specify the minimum "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"security level necessary to establish the connection. The values of this "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"option are defined by OpenLDAP."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: Use the system default (usually specified by ldap.conf)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_deref_threshold (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specify the number of group members that must be missing from the internal "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"cache in order to trigger a dereference lookup. If less members are missing, "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"they are looked up individually."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"You can turn off dereference lookups completely by setting the value to 0."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"A dereference lookup is a means of fetching all group members in a single "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"LDAP call. Different LDAP servers may implement different dereference "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>Note:</emphasis> If any of the search bases specifies a search "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"filter, then the dereference lookup performance enhancement will be disabled "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"regardless of this setting."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_tls_reqcert (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies what checks to perform on server certificates in a TLS session, if "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"any. It can be specified as one of the following values:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>never</emphasis> = The client will not request or check any server "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"certificate."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>allow</emphasis> = The server certificate is requested. If no "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"certificate is provided, the session proceeds normally. If a bad certificate "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"is provided, it will be ignored and the session proceeds normally."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>try</emphasis> = The server certificate is requested. If no "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"certificate is provided, the session proceeds normally. If a bad certificate "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"is provided, the session is immediately terminated."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>demand</emphasis> = The server certificate is requested. If no "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"certificate is provided, or a bad certificate is provided, the session is "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"immediately terminated."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: hard"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_tls_cacert (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies the file that contains certificates for all of the Certificate "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Authorities that <command>sssd</command> will recognize."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd-ldap.5.xml:1641 sssd-ldap.5.xml:1659 sssd-ldap.5.xml:1700
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"conf</filename>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_tls_cacertdir (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies the path of a directory that contains Certificate Authority "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"certificates in separate individual files. Typically the file names need to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"be the hash of the certificate followed by '.0'. If available, "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>cacertdir_rehash</command> can be used to create the correct names."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_tls_cert (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Specifies the file that contains the certificate for the client's key."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_tls_key (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Specifies the file that contains the client's key."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_tls_cipher_suite (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek"Specifies acceptable cipher suites. Typically this is a colon separated "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<manvolnum>5</manvolnum></citerefentry> for format."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_id_use_start_tls (boolean)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies that the id_provider connection must also use <systemitem class="
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"\"protocol\">tls</systemitem> to protect the channel."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_id_mapping (boolean)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies that SSSD should attempt to map user and group IDs from the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"on ldap_user_uid_number and ldap_group_gid_number."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Currently this feature supports only ActiveDirectory objectSID mapping."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "ldap_min_id, ldap_max_id (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e0882baf3b0174cd5c34d593442f66bf6ff75261Jakub Hrozek"In contrast to the SID based ID mapping which is used if ldap_id_mapping is "
e0882baf3b0174cd5c34d593442f66bf6ff75261Jakub Hrozek"set to true the allowed ID range for ldap_user_uid_number and "
e0882baf3b0174cd5c34d593442f66bf6ff75261Jakub Hrozek"ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this "
e0882baf3b0174cd5c34d593442f66bf6ff75261Jakub Hrozek"might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id "
e0882baf3b0174cd5c34d593442f66bf6ff75261Jakub Hrozek"can be set to restrict the allowed range for the IDs which are read directly "
e0882baf3b0174cd5c34d593442f66bf6ff75261Jakub Hrozek"from the server. Sub-domains can then pick other ranges to map IDs."
e0882baf3b0174cd5c34d593442f66bf6ff75261Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e0882baf3b0174cd5c34d593442f66bf6ff75261Jakub Hrozekmsgid "Default: not set (both options are set to 0)"
e0882baf3b0174cd5c34d593442f66bf6ff75261Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
e0882baf3b0174cd5c34d593442f66bf6ff75261Jakub Hrozekmsgid "ldap_sasl_mech (string)"
e0882baf3b0174cd5c34d593442f66bf6ff75261Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specify the SASL mechanism to use. Currently only GSSAPI is tested and "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_sasl_authid (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specify the SASL authorization id to use. When GSSAPI is used, this "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"represents the Kerberos principal used for authentication to the directory. "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"This option can either contain the full principal (for example host/"
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"myhost@EXAMPLE.COM) or just the principal name (for example host/myhost)."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozekmsgid "Default: host/hostname@REALM"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozekmsgid "ldap_sasl_realm (string)"
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"Specify the SASL realm to use. When not specified, this option defaults to "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"the value of krb5_realm. If the ldap_sasl_authid contains the realm as "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"well, this option is ignored."
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozekmsgid "Default: the value of krb5_realm."
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_sasl_canonicalize (boolean)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If set to true, the LDAP library would perform a reverse lookup to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"canonicalize the host name during a SASL bind."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: false;"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_krb5_keytab (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Specify the keytab to use when using SASL/GSSAPI."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_krb5_init_creds (boolean)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies that the id_provider should init Kerberos credentials (TGT). This "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"action is performed only if SASL is used and the mechanism selected is "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_krb5_ticket_lifetime (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: 86400 (24 hours)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "krb5_server, krb5_backup_server (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies the comma-separated list of IP addresses or hostnames of the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Kerberos servers to which SSSD should connect in the order of preference. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"For more information on failover and server redundancy, see the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"colon) may be appended to the addresses or hostnames. If empty, service "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"discovery is enabled - for more information, refer to the <quote>SERVICE "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"DISCOVERY</quote> section."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"When using service discovery for KDC or kpasswd servers, SSSD first searches "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"for DNS entries that specify _udp as the protocol and falls back to _tcp if "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"none are found."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"While the legacy name is recognized for the time being, users are advised to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"migrate their config files to use <quote>krb5_server</quote> instead."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd-ldap.5.xml:1888 sssd-ipa.5.xml:428 sssd-krb5.5.xml:103
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "krb5_realm (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "krb5_canonicalize (boolean)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies if the host principal should be canonicalized when connecting to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"LDAP server. This feature is available with MIT Kerberos >= 1.7"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozekmsgid "krb5_use_kdcinfo (boolean)"
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
0172959f117b545c8a6b1893f5f56818d82dd624Jakub Hrozek"Specifies if the SSSD should instruct the Kerberos libraries what realm and "
0172959f117b545c8a6b1893f5f56818d82dd624Jakub Hrozek"which KDCs to use. This option is on by default, if you disable it, you need "
0172959f117b545c8a6b1893f5f56818d82dd624Jakub Hrozek"to configure the Kerberos library using the <citerefentry> "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </"
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"citerefentry> configuration file."
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"information on the locator plugin."
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_pwd_policy (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Select the policy to evaluate the password expiration on the client side. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The following values are allowed:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>none</emphasis> - No evaluation on the client side. This option "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"cannot disable server-side password policies."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"evaluate if the password has expired."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"to determine if the password has expired. Use chpass_provider=krb5 to update "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"these attributes when the password is changed."
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"<emphasis>Note</emphasis>: if a password policy is configured on server "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"side, it always takes precedence over policy set with this option."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_referrals (boolean)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Specifies whether automatic referral chasing should be enabled."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Please note that sssd only supports referral chasing when it is compiled "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"with OpenLDAP version 2.4.13 or higher."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Chasing referrals may incur a performance penalty in environments that use "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"them heavily, a notable example is Microsoft Active Directory. If your setup "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"does not in fact require the use of referrals, setting this option to false "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"might bring a noticeable performance improvement."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_dns_service_name (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Specifies the service name to use when service discovery is enabled."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: ldap"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_chpass_dns_service_name (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies the service name to use to find an LDAP server which allows "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"password changes when service discovery is enabled."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: not set, i.e. service discovery is disabled"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozekmsgid "ldap_chpass_update_last_change (bool)"
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"Specifies whether to update the ldap_user_shadow_last_change attribute with "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"days since the Epoch after a password change operation."
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_access_filter (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"If using access_provider = ldap and ldap_access_order = filter (default), "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"this option is mandatory. It specifies an LDAP search filter criteria that "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"must be met for the user to be granted access on this host. If "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"access_provider = ldap, ldap_access_order = filter and this option is not "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"set, it will result in all users being denied access. Use access_provider = "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"permit to change this default behavior. Please note that this filter is "
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek"applied on the LDAP user entry only and thus filtering based on nested "
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek"groups may not work (e.g. memberOf attribute on AD entries points only to "
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek"direct parents). If filtering based on nested groups is required, please see "
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek"<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</"
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek"manvolnum> </citerefentry>."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Example:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"access_provider = ldap\n"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"ldap_access_filter = (employeeType=admin)\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"This example means that access to this host is restricted to users whose "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"employeeType attribute is set to \"admin\"."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Offline caching for this feature is limited to determining whether the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"user's last online login was granted access permission. If they were granted "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"access during their last login, they will continue to be granted access "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"while offline and vice versa."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: Empty"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_account_expire_policy (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"With this option a client side evaluation of access control attributes can "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"be enabled."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Please note that it is always recommended to use server side access control, "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"i.e. the LDAP server should deny the bind request with a suitable error code "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"even if the password is correct."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The following values are allowed:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"determine if the account is expired."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>ad</emphasis>: use the value of the 32bit field "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"ldap_user_ad_user_account_control and allow access if the second bit is not "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"set. If the attribute is missing access is granted. Also the expiration time "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"of the account is checked."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"emphasis>: use the value of ldap_ns_account_lock to check if access is "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"allowed or not."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>nds</emphasis>: the values of "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"ldap_user_nds_login_expiration_time are used to check if access is allowed. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If both attributes are missing access is granted."
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"Please note that the ldap_access_order configuration option <emphasis>must</"
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"emphasis> include <quote>expire</quote> in order for the "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"ldap_account_expire_policy option to work."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_access_order (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Comma separated list of access control options. Allowed values are:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<emphasis>filter</emphasis>: use ldap_access_filter"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"<emphasis>lockout</emphasis>: use account locking. If set, this option "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek"and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. "
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek"Please note that 'access_provider = ldap' must be set for this feature to "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"<emphasis> Please note that this option is superseded by the <quote>ppolicy</"
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"quote> option and might be removed in a future release. </emphasis>"
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"<emphasis>ppolicy</emphasis>: use account locking. If set, this option "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"denies access in case that ldap attribute 'pwdAccountLockedTime' is present "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"and has value of '000001010000Z' or represents any time in the past. The "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"value of the 'pwdAccountLockedTime' attribute must end with 'Z', which "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"denotes the UTC time zone. Other time zones are not currently supported and "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"will result in \"access-denied\" when users attempt to log in. Please see "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"must be set for this feature to work."
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"pwd_expire_policy_renew: </emphasis> These options are useful if users are "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"interested in being warned that password is about to expire and "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"authentication is based on using a different method than passwords - for "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"example SSH keys."
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"The difference between these options is the action taken if user password is "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"expired: pwd_expire_policy_reject - user is denied to log in, "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"pwd_expire_policy_warn - user is still able to log in, "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"pwd_expire_policy_renew - user is prompted to change his password "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"immediately."
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"Note If user password is expired no explicit message is prompted by SSSD."
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"Please note that 'access_provider = ldap' must be set for this feature to "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"work. Also 'ldap_pwd_policy' must be set to an appropriate password policy."
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"to determine access"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<emphasis>host</emphasis>: use the host attribute to determine access"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"<emphasis>rhost</emphasis>: use the rhost attribute to determine whether "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"remote host can access"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"Please note, rhost field in pam is set by application, it is better to check "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"what the application sends to pam, before enabling this access control option"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: filter"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Please note that it is a configuration error if a value is used more than "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "ldap_pwdlockout_dn (string)"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"This option specifies the DN of password policy entry on LDAP server. Please "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"note that absence of this option in sssd.conf in case of enabled account "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"lockout checking will yield access denied as ppolicy attributes on LDAP "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"server cannot be checked properly."
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "Default: cn=ppolicy,ou=policies,$ldap_search_base"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_deref (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies how alias dereferencing is done when performing a search. The "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"following options are allowed:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"the base object, but not in locating the base object of the search."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"the base object of the search."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"in locating the base object of the search."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"client libraries)"
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozekmsgid "ldap_rfc2307_fallback_to_local_users (boolean)"
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"Allows to retain local users as members of an LDAP group for servers that "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"use the RFC2307 schema."
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"In some environments where the RFC2307 schema is used, local users are made "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"members of LDAP groups by adding their names to the memberUid attribute. "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"The self-consistency of the domain is compromised when this is done, so SSSD "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"would normally remove the \"missing\" users from the cached group "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"memberships as soon as nsswitch tries to fetch information about the user "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"via getpw*() or initgroups() calls."
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"This option falls back to checking if local users are referenced, and caches "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"them so that later initgroups() calls will augment the local users with the "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"additional LDAP groups."
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "wildcard_limit (integer)"
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek"Specifies an upper limit on the number of entries that are downloaded during "
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek"a wildcard lookup."
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozekmsgid "At the moment, only the InfoPipe responder supports wildcard lookups."
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozekmsgid "Default: 1000 (often the size of one page)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"All of the common configuration options that apply to SSSD domains also "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"manvolnum> </citerefentry> manual page for full details. <placeholder type="
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"\"variablelist\" id=\"0\"/>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "SUDO OPTIONS"
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek"The detailed instructions for configuration of sudo_provider are in the "
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek"manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> "
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek"<manvolnum>5</manvolnum> </citerefentry>."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_sudorule_object_class (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The object class of a sudo rule entry in LDAP."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: sudoRole"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_sudorule_name (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The LDAP attribute that corresponds to the sudo rule name."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_sudorule_command (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The LDAP attribute that corresponds to the command name."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: sudoCommand"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_sudorule_host (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The LDAP attribute that corresponds to the host name (or host IP address, "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"host IP network, or host netgroup)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: sudoHost"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_sudorule_user (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The LDAP attribute that corresponds to the user name (or UID, group name or "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"user's netgroup)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: sudoUser"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_sudorule_option (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The LDAP attribute that corresponds to the sudo options."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: sudoOption"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_sudorule_runasuser (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The LDAP attribute that corresponds to the user name that commands may be "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: sudoRunAsUser"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_sudorule_runasgroup (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The LDAP attribute that corresponds to the group name or group GID that "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"commands may be run as."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: sudoRunAsGroup"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_sudorule_notbefore (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The LDAP attribute that corresponds to the start date/time for when the sudo "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"rule is valid."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: sudoNotBefore"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_sudorule_notafter (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The LDAP attribute that corresponds to the expiration date/time, after which "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"the sudo rule will no longer be valid."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: sudoNotAfter"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_sudorule_order (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The LDAP attribute that corresponds to the ordering index of the rule."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: sudoOrder"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_sudo_full_refresh_interval (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"How many seconds SSSD will wait between executing a full refresh of sudo "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"rules (which downloads all rules that are stored on the server)."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: 21600 (6 hours)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_sudo_smart_refresh_interval (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"How many seconds SSSD has to wait before executing a smart refresh of sudo "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"rules (which downloads all rules that have USN higher than the highest USN "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"of cached rules)."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If USN attributes are not supported by the server, the modifyTimestamp "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"attribute is used instead."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_sudo_use_host_filter (boolean)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If true, SSSD will download only rules that are applicable to this machine "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"(using the IPv4 or IPv6 host/network addresses and hostnames)."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_sudo_hostnames (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Space separated list of hostnames or fully qualified domain names that "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"should be used to filter the rules."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"If this option is empty, SSSD will try to discover the hostname and the "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"fully qualified domain name automatically."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd-ldap.5.xml:2584 sssd-ldap.5.xml:2607 sssd-ldap.5.xml:2625
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"emphasis> then this option has no effect."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: not specified"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_sudo_ip (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Space separated list of IPv4 or IPv6 host/network addresses that should be "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"used to filter the rules."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If this option is empty, SSSD will try to discover the addresses "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"automatically."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_sudo_include_netgroups (boolean)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If true then SSSD will download every rule that contains a netgroup in "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"sudoHost attribute."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_sudo_include_regexp (boolean)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"If true then SSSD will download every rule that contains a wildcard in "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"sudoHost attribute."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This manual page only describes attribute name mapping. For detailed "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"explanation of sudo related attribute semantics, see <citerefentry> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"citerefentry>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "AUTOFS OPTIONS"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek"Some of the defaults for the parameters below are dependent on the LDAP "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "ldap_autofs_map_master_name (string)"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "The name of the automount master map in LDAP."
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "Default: auto.master"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_autofs_map_object_class (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The object class of an automount map entry in LDAP."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
d25fa6f2608d5fe0617ada47f9d426f45deb96ffJakub Hrozekmsgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_autofs_map_name (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The name of an automount map entry in LDAP."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
d25fa6f2608d5fe0617ada47f9d426f45deb96ffJakub Hrozek"Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_autofs_entry_object_class (string)"
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek"The object class of an automount entry in LDAP. The entry usually "
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek"corresponds to a mount point."
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
d25fa6f2608d5fe0617ada47f9d426f45deb96ffJakub Hrozekmsgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_autofs_entry_key (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The key of an automount entry in LDAP. The entry usually corresponds to a "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"mount point."
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
d25fa6f2608d5fe0617ada47f9d426f45deb96ffJakub Hrozekmsgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_autofs_entry_value (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
d25fa6f2608d5fe0617ada47f9d426f45deb96ffJakub Hrozek"Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise "
d25fa6f2608d5fe0617ada47f9d426f45deb96ffJakub Hrozek"automountInformation"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type="
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type="
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"\"variablelist\" id=\"4\"/> <placeholder type=\"variablelist\" id=\"5\"/>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ADVANCED OPTIONS"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_netgroup_search_base (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_search_base (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_group_search_base (string)"
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><note>
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozekmsgid "<note>"
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches "
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek"against Active Directory will not be restricted and return all groups "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"memberships, even with no GID mapping. It is recommended to disable this "
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek"feature, if group names are not being displayed correctly."
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist>
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozekmsgid "</note>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_sudo_search_base (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_autofs_search_base (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"These options are supported by LDAP domains, but they should be used with "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"caution. Please include them in your configuration only if you know what you "
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek"are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder type="
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek"\"variablelist\" id=\"1\"/>"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd-ldap.5.xml:2816 sssd-simple.5.xml:131 sssd-ipa.5.xml:736
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd-ad.5.xml:1038 sssd-krb5.5.xml:570 sss_rpcidmapd.5.xml:98
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#: sssd-files.5.xml:71 sssd-session-recording.5.xml:144
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "EXAMPLE"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The following example assumes that SSSD is correctly configured and LDAP is "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"set to one of the domains in the <replaceable>[domains]</replaceable> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><programlisting>
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"id_provider = ldap\n"
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"auth_provider = ldap\n"
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"ldap_uri = ldap://ldap.mydomain.org\n"
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"ldap_search_base = dc=mydomain,dc=org\n"
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"ldap_tls_reqcert = demand\n"
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"cache_credentials = true\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd-ldap.5.xml:2823 sssd-ldap.5.xml:2841 sssd-simple.5.xml:139
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd-ipa.5.xml:744 sssd-ad.5.xml:1046 sssd-sudo.5.xml:56 sssd-krb5.5.xml:579
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#: sssd-files.5.xml:78 sssd-session-recording.5.xml:150
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<placeholder type=\"programlisting\" id=\"0\"/>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozekmsgid "LDAP ACCESS FILTER EXAMPLE"
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek"The following example assumes that SSSD is correctly configured and to use "
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek"the ldap_access_order=lockout."
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><programlisting>
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"id_provider = ldap\n"
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"auth_provider = ldap\n"
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"access_provider = ldap\n"
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"ldap_access_order = lockout\n"
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n"
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"ldap_uri = ldap://ldap.mydomain.org\n"
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"ldap_search_base = dc=mydomain,dc=org\n"
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"ldap_tls_reqcert = demand\n"
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"cache_credentials = true\n"
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd-ldap.5.xml:2857 sssd_krb5_locator_plugin.8.xml:61 sssd-simple.5.xml:148
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd-ad.5.xml:1061 sssd.8.xml:230 sss_seed.8.xml:163
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "NOTES"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The descriptions of some of the configuration options in this manual page "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"distribution."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "pam_sss"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "PAM module for SSSD"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek"arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </"
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek"arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </"
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg "
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek"choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg "
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek"choice='opt'> <replaceable>prompt_always</replaceable> </arg>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>pam_sss.so</command> is the PAM interface to the System Security "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"Services daemon (SSSD). Errors and results are logged through "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"<command>syslog(3)</command> with the LOG_AUTHPRIV facility."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>quiet</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Suppress log messages for unknown users."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>forward_pass</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If <option>forward_pass</option> is set the entered password is put on the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"stack for other PAM modules to use."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>use_first_pass</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The argument use_first_pass forces the module to use a previous stacked "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"modules password and will never prompt the user - if no password is "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"available or the password is not appropriate, the user will be denied access."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>use_authtok</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"When password changing enforce the module to set the new password to the one "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"provided by a previously stacked password module."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>retry=N</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If specified the user is asked another N times for a password if "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"authentication fails. Default is 0."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Please note that this option might not work as expected if the application "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"calling PAM handles the user dialog on its own. A typical example is "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sshd</command> with <option>PasswordAuthentication</option>."
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "<option>ignore_unknown_user</option>"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"If this option is specified and the user does not exist, the PAM module will "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"return PAM_IGNORE. This causes the PAM framework to ignore this module."
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozekmsgid "<option>ignore_authinfo_unavail</option>"
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek"Specifies that the PAM module should return PAM_IGNORE if it cannot contact "
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek"the SSSD daemon. This causes the PAM framework to ignore this module."
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozekmsgid "<option>domains</option>"
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek"Allows the administrator to restrict the domains a particular PAM service is "
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek"allowed to authenticate against. The format is a comma-separated list of "
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek"SSSD domain names, as specified in the sssd.conf file."
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek"NOTE: Must be used in conjunction with the <quote>pam_trusted_users</quote> "
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek"and <quote>pam_public_domains</quote> options. Please see the "
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek"manvolnum> </citerefentry> manual page for more information on these two PAM "
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek"responder options."
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozekmsgid "<option>allow_missing_name</option>"
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"The main purpose of this option is to let SSSD determine the user name based "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"on additional information, e.g. the certificate from a Smartcard."
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
d25fa6f2608d5fe0617ada47f9d426f45deb96ffJakub Hrozek"auth sufficient pam_sss.so allow_missing_name\n"
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"The current use case are login managers which can monitor a Smartcard reader "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"for card events. In case a Smartcard is inserted the login manager will call "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"a PAM stack which includes a line like <placeholder type=\"programlisting\" "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"id=\"0\"/> In this case SSSD will try to determine the user name based on "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"the content of the Smartcard, returns it to pam_sss which will finally put "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"it on the PAM stack."
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozekmsgid "<option>prompt_always</option>"
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek"Always prompt the user for credentials. With this option credentials "
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek"requested by other PAM modules, typically a password, will be ignored and "
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek"pam_sss will prompt for credentials again. Based on the pre-auth reply by "
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek"SSSD pam_sss might prompt for a password, a Smartcard PIN or other "
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek"credentials."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "MODULE TYPES PROVIDED"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"All module types (<option>account</option>, <option>auth</option>, "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<option>password</option> and <option>session</option>) are provided."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "FILES"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If a password reset by root fails, because the corresponding SSSD provider "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"does not support password resets, an individual message can be displayed. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This message can e.g. contain instructions about how to reset a password."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"filename> where LOC stands for a locale string returned by <citerefentry> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"citerefentry>. If there is no matching file the content of "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"the owner of the files and only root may have read and write permissions "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"while all other users must have only read permissions."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"These files are searched in the directory <filename>/etc/sssd/customize/"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "sssd_krb5_locator_plugin"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "Kerberos locator plugin"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"used by the Kerberos provider of <citerefentry> <refentrytitle>sssd</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> to tell the Kerberos "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"libraries what Realm and which KDC to use. Typically this is done in "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"manvolnum> </citerefentry> which is always read by the Kerberos libraries. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"To simplify the configuration the Realm and the KDC can be defined in "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"manvolnum> </citerefentry> as described in <citerefentry> "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"citerefentry>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"</citerefentry> puts the Realm and the name or IP address of the KDC into "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"the environment variables SSSD_KRB5_REALM and SSSD_KRB5_KDC respectively. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"When <command>sssd_krb5_locator_plugin</command> is called by the kerberos "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"libraries it reads and evaluates these variables and returns them to the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Not all Kerberos implementations support the use of plugins. If "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sssd_krb5_locator_plugin</command> is not available on your system "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"you have to edit /etc/krb5.conf to reflect your Kerberos setup."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"debug messages will be sent to stderr."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "sssd-simple"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "the configuration file for SSSD's 'simple' access-control provider"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This manual page describes the configuration of the simple access-control "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"citerefentry> manual page."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The simple access provider grants or denies access based on an access or "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"deny list of user or group names. The following rules apply:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "If all lists are empty, access is granted"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If any list is provided, the order of evaluation is allow,deny. This means "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"that any matching deny rule will supersede any matched allow rule."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If either or both \"allow\" lists are provided, all users are denied unless "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"they appear in the list."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If only \"deny\" lists are provided, all users are granted access unless "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"they appear in the list."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "simple_allow_users (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Comma separated list of users who are allowed to log in."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "simple_deny_users (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Comma separated list of users who are explicitly denied access."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "simple_allow_groups (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Comma separated list of groups that are allowed to log in. This applies only "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"to groups within this SSSD domain. Local groups are not evaluated."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "simple_deny_groups (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Comma separated list of groups that are explicitly denied access. This "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"applies only to groups within this SSSD domain. Local groups are not "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd-simple.5.xml:70 sssd-ipa.5.xml:82 sssd-ad.5.xml:113
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"citerefentry> manual page for details on the configuration of an SSSD "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"domain. <placeholder type=\"variablelist\" id=\"0\"/>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"Specifying no values for any of the lists is equivalent to skipping it "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"entirely. Beware of this while generating parameters for the simple provider "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"using automated scripts."
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Please note that it is an configuration error if both, simple_allow_users "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"and simple_deny_users, are defined."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The following example assumes that SSSD is correctly configured and example."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This examples shows only the simple access provider-specific options."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><programlisting>
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"access_provider = simple\n"
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"simple_allow_users = user1, user2\n"
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek"The complete group membership hierarchy is resolved before the access check, "
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek"thus even nested groups can be included in the access lists. Please be "
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek"aware that the <quote>ldap_group_nesting_level</quote> option may impact the "
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek"results and should be set to a sufficient value. (<citerefentry> "
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </"
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek"citerefentry>) option."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "sss-certmap"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "SSSD Certificate Matching and Mapping Rules"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"The manual page describes the rules which can be used by SSSD and other "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"components to match X.509 certificates and map them to accounts."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"Each rule has four components, a <quote>priority</quote>, a <quote>matching "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"quote>. All components are optional. A missing <quote>priority</quote> will "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"add the rule with the lowest priority. The default <quote>matching rule</"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"quote> will match certificates with the digitalSignature key usage and "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"clientAuth extended key usage. If the <quote>mapping rule</quote> is empty "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"the certificates will be searched in the userCertificate attribute as DER "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"encoded binary. If no domains are given only the local domain will be "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "RULE COMPONENTS"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><title>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "PRIORITY"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"The rules are processed by priority while the number '0' (zero) indicates "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"the highest priority. The higher the number the lower is the priority. A "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"missing value indicates the lowest priority."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"Internally the priority is treated as unsigned 32bit integer, using a "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"priority value larger than 4294967295 will cause an error."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><title>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "MATCHING RULE"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"The matching rule is used to select a certificate to which the mapping rule "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"should be applied. It uses a system similar to the one used by "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"keyword enclosed by '<' and '>' which identified a certain part of the "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"certificate and a pattern which should be found for the rule to match. "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"Multiple keyword pattern pairs can be either joined with '&&' (and) "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"or '||' (or)."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "<SUBJECT>regular-expression"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"With this a part or the whole subject name of the certificate can be "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"matched. For the matching POSIX Extended Regular Expression syntax is used, "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"see regex(7) for details."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"For the matching the subject name stored in the certificate in DER encoded "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"ASN.1 is converted into a string according to RFC 4514. This means the most "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"specific name component comes first. Please note that not all possible "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"attribute names are covered by RFC 4514. The names included are 'CN', 'L', "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"be shown differently on different platform and by different tools. To avoid "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"confusion those attribute names are best not used or covered by a suitable "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"regular-expression."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "<ISSUER>regular-expression"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"With this a part or the whole issuer name of the certificate can be matched. "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"All comments for <SUBJECT> apply her as well."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "<KU>key-usage"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"This option can be used to specify which key usage values the certificate "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"should have. The following values can be used in a comma separated list:"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "digitalSignature"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "nonRepudiation"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "keyEncipherment"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "dataEncipherment"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "keyAgreement"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "keyCertSign"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "cRLSign"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "encipherOnly"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "decipherOnly"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"A numerical value in the range of a 32bit unsigned integer can be used as "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"well to cover special use cases."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "Example: <KU>digitalSignature,keyEncipherment"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "<EKU>extended-key-usage"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"This option can be used to specify which extended key usage the certificate "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"should have. The following value can be used in a comma separated list:"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "serverAuth"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "clientAuth"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "codeSigning"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "emailProtection"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "timeStamping"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "OCSPSigning"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "KPClientAuth"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "pkinit"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "msScLogin"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"Extended key usages which are not listed above can be specified with their "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"OID in dotted-decimal notation."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "<SAN>regular-expression"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"To be compatible with the usage of MIT Kerberos this option will match the "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"Principal> does."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "Example: <SAN>.*@MY\\.REALM"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "<SAN:Principal>regular-expression"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "Example: <SAN:Principal>.*@MY\\.REALM"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "<SAN:ntPrincipalName>regular-expression"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "Match the Kerberos principals from the AD NT Principal SAN."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "<SAN:pkinit>regular-expression"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "Match the Kerberos principals from the PKINIT SAN."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "<SAN:dotted-decimal-oid>regular-expression"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"Take the value of the otherName SAN component given by the OID in dotted-"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"decimal notation, interpret it as string and try to match it against the "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"regular expression."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "Example: <SAN:1.2.3.4>test"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "<SAN:otherName>base64-string"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"Do a binary match with the base64 encoded blob against all otherName SAN "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"components. With this option it is possible to match against custom "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"otherName components with special encodings which could not be treated as "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "Example: <SAN:otherName>MTIz"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "<SAN:rfc822Name>regular-expression"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "Match the value of the rfc822Name SAN."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "Example: <SAN:rfc822Name>.*@email\\.domain"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "<SAN:dNSName>regular-expression"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "Match the value of the dNSName SAN."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "<SAN:x400Address>base64-string"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "Binary match the value of the x400Address SAN."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "Example: <SAN:x400Address>MTIz"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "<SAN:directoryName>regular-expression"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"Match the value of the directoryName SAN. The same comments as given for <"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"ISSUER> and <SUBJECT> apply here as well."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "Example: <SAN:directoryName>.*,DC=com"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "<SAN:ediPartyName>base64-string"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "Binary match the value of the ediPartyName SAN."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "Example: <SAN:ediPartyName>MTIz"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "<SAN:uniformResourceIdentifier>regular-expression"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "Match the value of the uniformResourceIdentifier SAN."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "Example: <SAN:uniformResourceIdentifier>URN:.*"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "<SAN:iPAddress>regular-expression"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "Match the value of the iPAddress SAN."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "Example: <SAN:iPAddress>192\\.168\\..*"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "<SAN:registeredID>regular-expression"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "Match the value of the registeredID SAN as dotted-decimal string."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "Example: <SAN:registeredID>1\\.2\\.3\\..*"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"The available options are: <placeholder type=\"variablelist\" id=\"0\"/>"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><title>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "MAPPING RULE"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"The mapping rule is used to associate a certificate with one or more "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"accounts. A Smartcard with the certificate and the matching private key can "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"then be used to authenticate as one of those accounts."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"Currently SSSD basically only supports LDAP to lookup user information (the "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"exception is the proxy provider which is not of relevance here). Because of "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"this the mapping rule is based on LDAP search filter syntax with templates "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"to add certificate content to the filter. It is expected that the filter "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"will only contain the specific data needed for the mapping and that the "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"caller will embed it in another filter to do the actual search. Because of "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"this the filter string should start and stop with '(' and ')' respectively."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"In general it is recommended to use attributes from the certificate and add "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"them to special attributes to the LDAP user object. E.g. the "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"for IPA can be used."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"This should be preferred to read user specific data from the certificate "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"like e.g. an email address and search for it in the LDAP server. The reason "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"is that the user specific data in LDAP might change for various reasons "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"would break the mapping. On the other hand it would be hard to break the "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"mapping on purpose for a specific user."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"This template will add the full issuer DN converted to a string according to "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"the '_x500' prefix should be used."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"The conversion options starting with 'ad_' will use attribute names as used "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"by AD, e.g. 'S' instead of 'ST'."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"The conversion options starting with 'nss_' will use attribute names as used "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"The default conversion option is 'nss', i.e. attribute names according to "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"NSS and LDAP/RFC 4514 ordering."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"This template will add the full subject DN converted to string according to "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"RFC 4514. If X.500 ordering (most specific RDN comes last) an option with "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"the '_x500' prefix should be used."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"{subject_dn!nss_x500})"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "{cert[!(bin|base64)]}"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"This template will add the whole DER encoded certificate as a string to the "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"search filter. Depending on the conversion option the binary certificate is "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"either converted to an escaped hex sequence '\\xx' or base64. The escaped "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"hex sequence is the default and can e.g. be used with the LDAP attribute "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"'userCertificate;binary'."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "Example: (userCertificate;binary={cert!bin})"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "{subject_principal[.short_name]}"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"This template will add the Kerberos principal which is taken either from the "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"SAN used by pkinit or the one used by AD. The 'short_name' component "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"represents the first part of the principal before the '@' sign."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"Example: (|(userPrincipal={subject_principal})"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"(samAccountName={subject_principal.short_name}))"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "{subject_pkinit_principal[.short_name]}"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"This template will add the Kerberos principal which is given by the SAN used "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"by pkinit. The 'short_name' component represents the first part of the "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"principal before the '@' sign."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"Example: (|(userPrincipal={subject_pkinit_principal})"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "{subject_nt_principal[.short_name]}"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"This template will add the Kerberos principal which is given by the SAN used "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"by AD. The 'short_name' component represent the first part of the principal "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"before the '@' sign."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "{subject_rfc822_name[.short_name]}"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"This template will add the string which is stored in the rfc822Name "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"component of the SAN, typically an email address. The 'short_name' component "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"represents the first part of the address before the '@' sign."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"short_name}))"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "{subject_dns_name[.short_name]}"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"This template will add the string which is stored in the dNSName component "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"of the SAN, typically a fully-qualified host name. The 'short_name' "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"component represents the first part of the name before the first '.' sign."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "{subject_uri}"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"This template will add the string which is stored in the "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"uniformResourceIdentifier component of the SAN."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "Example: (uri={subject_uri})"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "{subject_ip_address}"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"This template will add the string which is stored in the iPAddress component "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"of the SAN."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "Example: (ip={subject_ip_address})"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "{subject_x400_address}"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"This template will add the value which is stored in the x400Address "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"component of the SAN as escaped hex sequence."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "Example: (attr:binary={subject_x400_address})"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"This template will add the DN string of the value which is stored in the "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"directoryName component of the SAN."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "Example: (orig_dn={subject_directory_name})"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "{subject_ediparty_name}"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"This template will add the value which is stored in the ediPartyName "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"component of the SAN as escaped hex sequence."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "Example: (attr:binary={subject_ediparty_name})"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "{subject_registered_id}"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"This template will add the OID which is stored in the registeredID component "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"of the SAN as a dotted-decimal string."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "Example: (oid={subject_registered_id})"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"The templates to add certificate data to the search filter are based on "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"Python-style formatting strings. They consist of a keyword in curly braces "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"with an optional sub-component specifier separated by a '.' or an optional "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"conversion/formatting option separated by a '!'. Allowed values are: "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"<placeholder type=\"variablelist\" id=\"0\"/>"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><title>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "DOMAIN LIST"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"If the domain list is not empty users mapped to a given certificate are not "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"only searched in the local domain but in the listed domains as well as long "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"as they are know by SSSD. Domains not know to SSSD will be ignored."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "sssd-ipa"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "SSSD IPA provider"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"This manual page describes the configuration of the IPA provider for "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"The IPA provider is a back end used to connect to an IPA server. (Refer to "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"the freeipa.org web site for information about IPA servers.) This provider "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"requires that the machine be joined to the IPA domain; configuration is "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"almost entirely self-discovered and obtained directly from the server."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"<manvolnum>5</manvolnum> </citerefentry> authentication provider with "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"optimizations for IPA environments. The IPA provider accepts the same "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"options used by the sssd-ldap and sssd-krb5 providers with some exceptions. "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"However, it is neither necessary nor recommended to set these options."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"The IPA provider primarily copies the traditional ldap and krb5 provider "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"default options with some exceptions, the differences are listed in the "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"<quote>MODIFIED DEFAULT OPTIONS</quote> section."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"As an access provider, the IPA provider uses HBAC (host-based access "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"control) rules. Please refer to freeipa.org for more information about "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"HBAC. No configuration of access provider is required on the client side."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"configured in sssd.conf then the id_provider must also be set to <quote>ipa</"
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"The IPA provider will use the PAC responder if the Kerberos tickets of users "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"from trusted realms contain a PAC. To make configuration easier the PAC "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"responder is started automatically if the IPA ID provider is configured."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "ipa_domain (string)"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies the name of the IPA domain. This is optional. If not provided, "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"the configuration domain name is used."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "ipa_server, ipa_backup_server (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The comma-separated list of IP addresses or hostnames of the IPA servers to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"which SSSD should connect in the order of preference. For more information "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This is optional if autodiscovery is enabled. For more information on "
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ipa_hostname (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Optional. May be set on machines where the hostname(5) does not reflect the "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"fully qualified name used in the IPA domain to identify this host. The "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"hostname must be fully qualified."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozekmsgid "dyndns_update (boolean)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Optional. This option tells SSSD to automatically update the DNS server "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"built into FreeIPA with the IP address of this client. The update is secured "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"using GSS-TSIG. The IP address of the IPA LDAP connection is used for the "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"updates, if it is not otherwise specified by using the <quote>dyndns_iface</"
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"quote> option."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"the default Kerberos realm must be set properly in /etc/krb5.conf"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"emphasis> option, users should migrate to using <emphasis>dyndns_update</"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"emphasis> in their config file."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozekmsgid "dyndns_ttl (integer)"
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"The TTL to apply to the client DNS record when updating it. If "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"dyndns_update is false this has no effect. This will override the TTL "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"serverside if set by an administrator."
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"emphasis> in their config file."
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozekmsgid "Default: 1200 (seconds)"
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozekmsgid "dyndns_iface (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"Optional. Applicable only when dyndns_update is true. Choose the interface "
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek"or a list of interfaces whose IP addresses should be used for dynamic DNS "
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek"updates. Special value <quote>*</quote> implies that IPs from all interfaces "
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek"should be used."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"emphasis> option, users should migrate to using <emphasis>dyndns_iface</"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"emphasis> in their config file."
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek"Default: Use the IP addresses of the interface which is used for IPA LDAP "
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozekmsgid "Example: dyndns_iface = em1, vnet1, vnet2"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
4c9419d98b89a6161a3dde11f9f80be39d12e72aJakub Hrozekmsgid "dyndns_auth (string)"
4c9419d98b89a6161a3dde11f9f80be39d12e72aJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4c9419d98b89a6161a3dde11f9f80be39d12e72aJakub Hrozek"Whether the nsupdate utility should use GSS-TSIG authentication for secure "
4c9419d98b89a6161a3dde11f9f80be39d12e72aJakub Hrozek"updates with the DNS server, insecure updates can be sent by setting this "
4c9419d98b89a6161a3dde11f9f80be39d12e72aJakub Hrozek"option to 'none'."
4c9419d98b89a6161a3dde11f9f80be39d12e72aJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4c9419d98b89a6161a3dde11f9f80be39d12e72aJakub Hrozekmsgid "Default: GSS-TSIG"
4c9419d98b89a6161a3dde11f9f80be39d12e72aJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozekmsgid "ipa_enable_dns_sites (boolean)"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozekmsgid "Enables DNS sites - location based service discovery."
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"If true and service discovery (see Service Discovery paragraph at the bottom "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"of the man page) is enabled, then the SSSD will first attempt location "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"based discovery using a query that contains \"_location.hostname.example.com"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"\" and then fall back to traditional SRV discovery. If the location based "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"discovery succeeds, the IPA servers located with the location based "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"discovery are treated as primary servers and the IPA servers located using "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"the traditional SRV discovery are used as back up servers"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozekmsgid "dyndns_refresh_interval (integer)"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"How often should the back end perform periodic DNS update in addition to the "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"automatic update performed when the back end goes online. This option is "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"optional and applicable only when dyndns_update is true."
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozekmsgid "dyndns_update_ptr (bool)"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"Whether the PTR record should also be explicitly updated when updating the "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"client's DNS records. Applicable only when dyndns_update is true."
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"This option should be False in most IPA deployments as the IPA server "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"generates the PTR records automatically when forward records are changed."
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozekmsgid "Default: False (disabled)"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozekmsgid "dyndns_force_tcp (bool)"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"Whether the nsupdate utility should default to using TCP for communicating "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"with the DNS server."
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozekmsgid "Default: False (let nsupdate choose the protocol)"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozekmsgid "dyndns_server (string)"
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek"The DNS server to use when performing a DNS update. In most setups, it's "
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek"recommended to leave this option unset."
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek"Setting this option makes sense for environments where the DNS server is "
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek"different from the identity server."
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek"Please note that this option will be only used in fallback attempt when "
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek"previous attempt using autodetected settings failed."
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozekmsgid "Default: None (let nsupdate choose the server)"
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "ipa_deskprofile_search_base (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"Optional. Use the given string as search base for Desktop Profile related "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: Use base DN"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "ipa_hbac_search_base (string)"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "Optional. Use the given string as search base for HBAC related objects."
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ipa_host_search_base (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozekmsgid "Deprecated. Use ldap_host_search_base instead."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ipa_selinux_search_base (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Optional. Use the given string as search base for SELinux user maps."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ipa_subdomains_search_base (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Optional. Use the given string as search base for trusted domains."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ipa_master_domain_search_base (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Optional. Use the given string as search base for master domain object."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozekmsgid "ipa_views_search_base (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozekmsgid "Optional. Use the given string as search base for views containers."
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozekmsgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The name of the Kerberos realm. This is optional and defaults to the value "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"of <quote>ipa_domain</quote>."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The name of the Kerberos realm has a special meaning in IPA - it is "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"converted into the base DN to use for performing LDAP operations."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozekmsgid "krb5_confd_path (string)"
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek"Absolute path of a directory where SSSD should place Kerberos configuration "
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek"To disable the creation of the configuration snippets set the parameter to "
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek"Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)"
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "ipa_deskprofile_refresh (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"The amount of time between lookups of the Desktop Profile rules against the "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"IPA server. This will reduce the latency and load on the IPA server if there "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"are many desktop profiles requests made in a short period."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd-ipa.5.xml:471 sssd-ipa.5.xml:501 sssd-ipa.5.xml:517 sssd-ad.5.xml:428
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "Default: 5 (seconds)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "ipa_deskprofile_request_interval (integer)"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"The amount of time between lookups of the Desktop Profile rules against the "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"IPA server in case the last request did not return any rule."
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "Default: 60 (minutes)"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "ipa_hbac_refresh (integer)"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"The amount of time between lookups of the HBAC rules against the IPA server. "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"This will reduce the latency and load on the IPA server if there are many "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"access-control requests made in a short period."
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "ipa_hbac_selinux (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"The amount of time between lookups of the SELinux maps against the IPA "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"server. This will reduce the latency and load on the IPA server if there are "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"many user login requests made in a short period."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "ipa_server_mode (boolean)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"This option will be set by the IPA installer (ipa-server-install) "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"automatically and denotes if SSSD is running on an IPA server or not."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"On an IPA server SSSD will lookup users and groups from trusted domains "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"directly while on a client it will ask an IPA server."
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"NOTE: There are currently some assumptions that must be met when SSSD is "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"running on an IPA server."
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"The <quote>ipa_server</quote> option must be configured to point to the IPA "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"server itself. This is already the default set by the IPA installer, so no "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"manual change is required."
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"The <quote>full_name_format</quote> option must not be tweaked to only print "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"short names for users from trusted domains."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "ipa_automount_location (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "The automounter location this IPA client will be using"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "Default: The location named \"default\""
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><title>
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozekmsgid "VIEWS AND OVERRIDES"
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozekmsgid "ipa_view_class (string)"
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozekmsgid "Objectclass of the view container."
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozekmsgid "Default: nsContainer"
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozekmsgid "ipa_view_name (string)"
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozekmsgid "Name of the attribute holding the name of the view."
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "ipa_override_object_class (string)"
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozekmsgid "Objectclass of the override objects."
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozekmsgid "Default: ipaOverrideAnchor"
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozekmsgid "ipa_anchor_uuid (string)"
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek"Name of the attribute containing the reference to the original object in a "
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek"remote domain."
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozekmsgid "Default: ipaAnchorUUID"
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozekmsgid "ipa_user_override_object_class (string)"
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek"Name of the objectclass for user overrides. It is used to determine if the "
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek"found override object is related to a user or a group."
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozekmsgid "User overrides can contain attributes given by"
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozekmsgid "ldap_user_name"
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozekmsgid "ldap_user_uid_number"
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozekmsgid "ldap_user_gid_number"
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozekmsgid "ldap_user_gecos"
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozekmsgid "ldap_user_home_directory"
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozekmsgid "ldap_user_shell"
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozekmsgid "ldap_user_ssh_public_key"
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozekmsgid "Default: ipaUserOverride"
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozekmsgid "ipa_group_override_object_class (string)"
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek"Name of the objectclass for group overrides. It is used to determine if the "
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek"found override object is related to a user or a group."
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozekmsgid "Group overrides can contain attributes given by"
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozekmsgid "ldap_group_name"
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozekmsgid "ldap_group_gid_number"
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozekmsgid "Default: ipaGroupOverride"
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para>
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek"SSSD can handle views and overrides which are offered by FreeIPA 4.1 and "
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek"later version. Since all paths and objectclasses are fixed on the server "
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek"side there is basically no need to configure anything. For completeness the "
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek"related options are listed here with their default values. <placeholder "
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek"type=\"variablelist\" id=\"0\"/>"
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozekmsgid "SUBDOMAINS PROVIDER"
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"The IPA subdomains provider behaves slightly differently if it is configured "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"explicitly or implicitly."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"If the option 'subdomains_provider = ipa' is found in the domain section of "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"sssd.conf, the IPA subdomains provider is configured explicitly, and all "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"subdomain requests are sent to the IPA server if necessary."
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"If the option 'subdomains_provider' is not set in the domain section of sssd."
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"conf but there is the option 'id_provider = ipa', the IPA subdomains "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"provider is configured implicitly. In this case, if a subdomain request "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"fails and indicates that the server does not support subdomains, i.e. is not "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"configured for trusts, the IPA subdomains provider is disabled. After an "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"hour or after the IPA provider goes online, the subdomains provider is "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"enabled again."
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The following example assumes that SSSD is correctly configured and example."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This examples shows only the ipa provider-specific options."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><programlisting>
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"id_provider = ipa\n"
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"ipa_hostname = myhost.example.com\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "sssd-ad"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "SSSD Active Directory provider"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This manual page describes the configuration of the AD provider for "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The AD provider is a back end used to connect to an Active Directory server. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This provider requires that the machine be joined to the AD domain and a "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"keytab is available. Back end communication occurs over a GSSAPI-encrypted "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"channel, SSL/TLS options should not be used with the AD provider and will be "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"superseded by Kerberos usage."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The AD provider supports connecting to Active Directory 2008 R2 or later. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Earlier versions may work, but are unsupported."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"The AD provider can be used to get user information and authenticate users "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"from trusted domains. Currently only trusted domains in the same forest are "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"recognized. In addition servers from trusted domains are always auto-"
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"discovered."
a9228ebcce14888b3123bdf46e610e0900bcd2ccJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-"
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity "
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> "
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"<manvolnum>5</manvolnum> </citerefentry> authentication provider with "
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"optimizations for Active Directory environments. The AD provider accepts the "
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"same options used by the sssd-ldap and sssd-krb5 providers with some "
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"exceptions. However, it is neither necessary nor recommended to set these "
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"The AD provider primarily copies the traditional ldap and krb5 provider "
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"default options with some exceptions, the differences are listed in the "
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"<quote>MODIFIED DEFAULT OPTIONS</quote> section."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"The AD provider can also be used as an access, chpass, sudo and autofs "
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"provider. No configuration of the access provider is required on the client "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"configured in sssd.conf then the id_provider must also be set to <quote>ad</"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><programlisting>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"ldap_id_mapping = False\n"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"By default, the AD provider will map UID and GID values from the objectSID "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"parameter in Active Directory. For details on this, see the <quote>ID "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"MAPPING</quote> section below. If you want to disable ID mapping and instead "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"rely on POSIX attributes defined in Active Directory, you should set "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"be used, it is recommended for performance reasons that the attributes are "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"also replicated to the Global Catalog. If POSIX attributes are replicated, "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"SSSD will attempt to locate the domain of a requested numerical ID with the "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"help of the Global Catalog and only search that domain. In contrast, if "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"POSIX attributes are not replicated to the Global Catalog, SSSD must search "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"all the domains in the forest sequentially. Please note that the "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"<quote>cache_first</quote> option might be also helpful in speeding up "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"domainless searches."
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"Users, groups and other entities served by SSSD are always treated as case-"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"insensitive in the AD provider for compatibility with Active Directory's "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"LDAP implementation."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ad_domain (string)"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"Specifies the name of the Active Directory domain. This is optional. If not "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"provided, the configuration domain name is used."
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"For proper operation, this option should be specified as the lower-case "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"version of the long version of the Active Directory domain."
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"The short domain name (also known as the NetBIOS or the flat name) is "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"autodetected by the SSSD."
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
ad805face83ba7d67b1cf2067a1982c7e63d1060Jakub Hrozekmsgid "ad_enabled_domains (string)"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
ad805face83ba7d67b1cf2067a1982c7e63d1060Jakub Hrozek"A comma-separated list of enabled Active Directory domains. If provided, "
ad805face83ba7d67b1cf2067a1982c7e63d1060Jakub Hrozek"SSSD will ignore any domains not listed in this option. If left unset, all "
ad805face83ba7d67b1cf2067a1982c7e63d1060Jakub Hrozek"domains from the AD forest will be available."
ad805face83ba7d67b1cf2067a1982c7e63d1060Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
ad805face83ba7d67b1cf2067a1982c7e63d1060Jakub Hrozek"ad_enabled_domains = sales.example.com, eng.example.com\n"
ad805face83ba7d67b1cf2067a1982c7e63d1060Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
ad805face83ba7d67b1cf2067a1982c7e63d1060Jakub Hrozek"For proper operation, this option must be specified in all lower-case and as "
ad805face83ba7d67b1cf2067a1982c7e63d1060Jakub Hrozek"the fully qualified domain name of the Active Directory domain. For example: "
ad805face83ba7d67b1cf2067a1982c7e63d1060Jakub Hrozek"<placeholder type=\"programlisting\" id=\"0\"/>"
ad805face83ba7d67b1cf2067a1982c7e63d1060Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
ad805face83ba7d67b1cf2067a1982c7e63d1060Jakub Hrozek"The short domain name (also known as the NetBIOS or the flat name) will be "
ad805face83ba7d67b1cf2067a1982c7e63d1060Jakub Hrozek"autodetected by SSSD."
ad805face83ba7d67b1cf2067a1982c7e63d1060Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
ad805face83ba7d67b1cf2067a1982c7e63d1060Jakub Hrozekmsgid "ad_server, ad_backup_server (string)"
ad805face83ba7d67b1cf2067a1982c7e63d1060Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"The comma-separated list of hostnames of the AD servers to which SSSD should "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"connect in order of preference. For more information on failover and server "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"redundancy, see the <quote>FAILOVER</quote> section."
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"This is optional if autodiscovery is enabled. For more information on "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section."
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"Note: Trusted domains will always auto-discover servers even if the primary "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"server is explicitly defined in the ad_server option."
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "ad_hostname (string)"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"Optional. May be set on machines where the hostname(5) does not reflect the "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"fully qualified name used in the Active Directory domain to identify this "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"This field is used to determine the host principal in use in the keytab. It "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"must match the hostname for which the keytab was issued."
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "ad_enable_dns_sites (boolean)"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"If true and service discovery (see Service Discovery paragraph at the bottom "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"of the man page) is enabled, the SSSD will first attempt to discover the "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"Active Directory server to connect to using the Active Directory Site "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"Discovery and fall back to the DNS SRV records if no AD site is found. The "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"DNS SRV configuration, including the discovery domain, is used during site "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"discovery as well."
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "ad_access_filter (string)"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"This option specifies LDAP access control filter that the user must match in "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"order to be allowed access. Please note that the <quote>access_provider</"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"quote> option must be explicitly set to <quote>ad</quote> in order for this "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"option to have an effect."
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"The option also supports specifying different filters per domain or forest. "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"quote> specifies the domain or subdomain the filter applies to. If the "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"keyword equals to <quote>FOREST</quote>, then the filter equals to all "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"domains from the forest specified by <quote>NAME</quote>."
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"Multiple filters can be separated with the <quote>?</quote> character, "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"similarly to how search bases work."
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"Nested group membership must be searched for using a special OID "
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain."
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"example.org: syntax to ensure the parser does not attempt to interpret the "
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"colon characters associated with the OID. If you do not use this OID then "
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"nested group membership will not be resolved. See usage example below and "
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"refer here for further information about the OID: <ulink url=\"https://msdn."
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP "
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"extensions</ulink>"
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"The most specific match is always used. For example, if the option specified "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"filter for a domain the user is a member of and a global filter, the per-"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"domain filter would be applied. If there are more matches with the same "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"specification, the first one is used."
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"# apply filter on domain called dom1 only:\n"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"# apply filter on domain called dom2 only:\n"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"# apply filter on forest called EXAMPLE.COM only:\n"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n"
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"# apply filter for a member of a nested group in dom1:\n"
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozekmsgid "ad_site (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"Specify AD site to which client should try to connect. If this option is "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"not provided, the AD site will be auto-discovered."
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozekmsgid "ad_enable_gc (boolean)"
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"By default, the SSSD connects to the Global Catalog first to retrieve users "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"from trusted domains and uses the LDAP port to retrieve group memberships or "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"as a fallback. Disabling this option makes the SSSD only connect to the LDAP "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"port of the current AD server."
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"Please note that disabling Global Catalog support does not disable "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"retrieving users from trusted domains. The SSSD would connect to the LDAP "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"port of trusted domains instead. However, Global Catalog must be used in "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"order to resolve cross-domain group memberships."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "ad_gpo_access_control (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"This option specifies the operation mode for GPO-based access control "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"functionality: whether it operates in disabled mode, enforcing mode, or "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"permissive mode. Please note that the <quote>access_provider</quote> option "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"must be explicitly set to <quote>ad</quote> in order for this option to have "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"GPO-based access control functionality uses GPO policy settings to determine "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"whether or not a particular user is allowed to logon to a particular host."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"NOTE: The current version of SSSD does not support host (computer) entries "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"in the GPO 'Security Filtering' list. Only user and group entries are "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"supported. Host entries in the list have no effect."
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"NOTE: If the operation mode is set to enforcing, it is possible that users "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"that were previously allowed logon access will now be denied logon access "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"(as dictated by the GPO policy settings). In order to facilitate a smooth "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"transition for administrators, a permissive mode is available that will not "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"enforce the access control rules, but will evaluate them and will output a "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"syslog message if access would have been denied. By examining the logs, "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"administrators can then make the necessary changes before setting the mode "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"to enforcing."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "There are three supported values for this option:"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"disabled: GPO-based access control rules are neither evaluated nor enforced."
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "enforcing: GPO-based access control rules are evaluated and enforced."
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"permissive: GPO-based access control rules are evaluated, but not enforced. "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"Instead, a syslog message will be emitted indicating that the user would "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"have been denied access if this option's value were set to enforcing."
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "Default: permissive"
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozekmsgid "Default: enforcing"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "ad_gpo_cache_timeout (integer)"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"The amount of time between lookups of GPO policy files against the AD "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"server. This will reduce the latency and load on the AD server if there are "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"many access-control requests made in a short period."
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "ad_gpo_map_interactive (string)"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"A comma-separated list of PAM service names for which GPO-based access "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"control is evaluated based on the InteractiveLogonRight and "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"DenyInteractiveLogonRight policy settings."
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"Note: Using the Group Policy Management Editor this value is called \"Allow "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"log on locally\" and \"Deny log on locally\"."
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"ad_gpo_map_interactive = +my_pam_service, -login\n"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"It is possible to add another PAM service name to the default set by using "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"<quote>+service_name</quote> or to explicitly remove a PAM service name from "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"the default set by using <quote>-service_name</quote>. For example, in "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"order to replace a default PAM service name for this logon right (e.g. "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"<quote>login</quote>) with a custom pam service name (e.g. "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"<quote>my_pam_service</quote>), you would use the following configuration: "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"<placeholder type=\"programlisting\" id=\"0\"/>"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#: sssd-ad.5.xml:461 sssd-ad.5.xml:557 sssd-ad.5.xml:603 sssd-ad.5.xml:648
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "Default: the default set of PAM service names includes:"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "login"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "gdm-fingerprint"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "gdm-password"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "gdm-smartcard"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozekmsgid "lightdm"
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozekmsgid "unity"
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "ad_gpo_map_remote_interactive (string)"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"A comma-separated list of PAM service names for which GPO-based access "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"control is evaluated based on the RemoteInteractiveLogonRight and "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"DenyRemoteInteractiveLogonRight policy settings."
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek"Note: Using the Group Policy Management Editor this value is called \"Allow "
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek"log on through Remote Desktop Services\" and \"Deny log on through Remote "
481ec0e1eb0058195732cb320845b41f6f4d43ebJakub Hrozek"Desktop Services\"."
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"It is possible to add another PAM service name to the default set by using "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"<quote>+service_name</quote> or to explicitly remove a PAM service name from "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"the default set by using <quote>-service_name</quote>. For example, in "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"order to replace a default PAM service name for this logon right (e.g. "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"<quote>sshd</quote>) with a custom pam service name (e.g. "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"<quote>my_pam_service</quote>), you would use the following configuration: "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"<placeholder type=\"programlisting\" id=\"0\"/>"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozekmsgid "cockpit"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "ad_gpo_map_network (string)"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"A comma-separated list of PAM service names for which GPO-based access "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"control is evaluated based on the NetworkLogonRight and "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"DenyNetworkLogonRight policy settings."
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"Note: Using the Group Policy Management Editor this value is called \"Access "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"this computer from the network\" and \"Deny access to this computer from the "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"ad_gpo_map_network = +my_pam_service, -ftp\n"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"It is possible to add another PAM service name to the default set by using "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"<quote>+service_name</quote> or to explicitly remove a PAM service name from "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"the default set by using <quote>-service_name</quote>. For example, in "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"order to replace a default PAM service name for this logon right (e.g. "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"<quote>ftp</quote>) with a custom pam service name (e.g. "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"<quote>my_pam_service</quote>), you would use the following configuration: "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"<placeholder type=\"programlisting\" id=\"0\"/>"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "samba"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "ad_gpo_map_batch (string)"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"A comma-separated list of PAM service names for which GPO-based access "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"control is evaluated based on the BatchLogonRight and DenyBatchLogonRight "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"policy settings."
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"Note: Using the Group Policy Management Editor this value is called \"Allow "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"log on as a batch job\" and \"Deny log on as a batch job\"."
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"ad_gpo_map_batch = +my_pam_service, -crond\n"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"It is possible to add another PAM service name to the default set by using "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"<quote>+service_name</quote> or to explicitly remove a PAM service name from "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"the default set by using <quote>-service_name</quote>. For example, in "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"order to replace a default PAM service name for this logon right (e.g. "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"<quote>crond</quote>) with a custom pam service name (e.g. "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"<quote>my_pam_service</quote>), you would use the following configuration: "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"<placeholder type=\"programlisting\" id=\"0\"/>"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "crond"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "ad_gpo_map_service (string)"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"A comma-separated list of PAM service names for which GPO-based access "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"control is evaluated based on the ServiceLogonRight and "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"DenyServiceLogonRight policy settings."
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"Note: Using the Group Policy Management Editor this value is called \"Allow "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"log on as a service\" and \"Deny log on as a service\"."
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"ad_gpo_map_service = +my_pam_service\n"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"It is possible to add a PAM service name to the default set by using <quote>"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"+service_name</quote>. Since the default set is empty, it is not possible "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"to remove a PAM service name from the default set. For example, in order to "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"add a custom pam service name (e.g. <quote>my_pam_service</quote>), you "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"would use the following configuration: <placeholder type=\"programlisting\" "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "ad_gpo_map_permit (string)"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"A comma-separated list of PAM service names for which GPO-based access is "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"always granted, regardless of any GPO Logon Rights."
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"ad_gpo_map_permit = +my_pam_service, -sudo\n"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"It is possible to add another PAM service name to the default set by using "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"<quote>+service_name</quote> or to explicitly remove a PAM service name from "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"the default set by using <quote>-service_name</quote>. For example, in "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"order to replace a default PAM service name for unconditionally permitted "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"<quote>my_pam_service</quote>), you would use the following configuration: "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"<placeholder type=\"programlisting\" id=\"0\"/>"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozekmsgid "polkit-1"
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "sudo-i"
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozekmsgid "systemd-user"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "ad_gpo_map_deny (string)"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"A comma-separated list of PAM service names for which GPO-based access is "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"always denied, regardless of any GPO Logon Rights."
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"ad_gpo_map_deny = +my_pam_service\n"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "ad_gpo_default_right (string)"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"This option defines how access control is evaluated for PAM service names "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"that are not explicitly listed in one of the ad_gpo_map_* options. This "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"option can be set in two different manners. First, this option can be set to "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"use a default logon right. For example, if this option is set to "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"'interactive', it means that unmapped PAM service names will be processed "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"based on the InteractiveLogonRight and DenyInteractiveLogonRight policy "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"settings. Alternatively, this option can be set to either always permit or "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"always deny access for unmapped PAM service names."
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "Supported values for this option include:"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "interactive"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "remote_interactive"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "network"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "batch"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "service"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "permit"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "Default: deny"
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozekmsgid "ad_maximum_machine_account_password_age (integer)"
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"SSSD will check once a day if the machine account password is older than the "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"given age in days and try to renew it. A value of 0 will disable the renewal "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozekmsgid "Default: 30 days"
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozekmsgid "ad_machine_account_password_renewal_opts (string)"
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"This option should only be used to test the machine account renewal task. "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"The option expects 2 integers separated by a colon (':'). The first integer "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"defines the interval in seconds how often the task is run. The second "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"specifies the initial timeout in seconds before the task is run for the "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"first time after startup."
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozekmsgid "Default: 86400:750 (24h and 15m)"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"Optional. This option tells SSSD to automatically update the Active "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"Directory DNS server with the IP address of this client. The update is "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"secured using GSS-TSIG. As a consequence, the Active Directory administrator "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"only needs to allow secure updates for the DNS zone. The IP address of the "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"AD LDAP connection is used for the updates, if it is not otherwise specified "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"by using the <quote>dyndns_iface</quote> option."
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozekmsgid "Default: 3600 (seconds)"
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek"Default: Use the IP addresses of the interface which is used for AD LDAP "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"How often should the back end perform periodic DNS update in addition to the "
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"automatic update performed when the back end goes online. This option is "
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"optional and applicable only when dyndns_update is true. Note that the "
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"lowest possible value is 60 seconds in-case if value is provided less than "
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"60, parameter will assume lowest value only."
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozekmsgid "Default: True"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The following example assumes that SSSD is correctly configured and example."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This example shows only the AD provider-specific options."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><programlisting>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"id_provider = ad\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"auth_provider = ad\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"access_provider = ad\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"chpass_provider = ad\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"ad_hostname = client.example.com\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"ad_domain = example.com\n"
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><programlisting>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"access_provider = ldap\n"
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"ldap_access_order = expire\n"
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"ldap_account_expire_policy = ad\n"
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"The AD access control provider checks if the account is expired. It has the "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"same effect as the following configuration of the LDAP provider: "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"<placeholder type=\"programlisting\" id=\"0\"/>"
d6d50c17e94dc0d3000345e8a933311c14bbb828Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
d6d50c17e94dc0d3000345e8a933311c14bbb828Jakub Hrozek"However, unless the <quote>ad</quote> access control provider is explicitly "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"configured, the default access provider is <quote>permit</quote>. Please "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"note that if you configure an access provider other than <quote>ad</quote>, "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"you need to set all the connection parameters (such as LDAP URIs and "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"encryption details) manually."
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"attribute mapping (nisMap, nisObject, ...) is used, because these attributes "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"are included in the default Active Directory schema."
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refmeta><refentrytitle>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 sssd-session-recording.5.xml:10
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "sssd-sudo"
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozekmsgid "Configuring sudo with the SSSD back end"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"This manual page describes how to configure <citerefentry> "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "Configuring sudo to cooperate with SSSD"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"the <emphasis>sudoers</emphasis> entry in <citerefentry> "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"citerefentry>."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"For example, to configure sudo to first lookup rules in the standard "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"manvolnum> </citerefentry> file (which should contain rules that apply to "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"local users) and then in SSSD, the nsswitch.conf file should contain the "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"following line:"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><programlisting>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "sudoers: files sss\n"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"More information about configuring the sudoers search order from the "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"nsswitch.conf file as well as information about the LDAP schema that is used "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"to store sudo rules in the directory can be found in <citerefentry> "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"citerefentry>."
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"sudo rules, you also need to correctly set <citerefentry> "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"citerefentry> to your NIS domain name (which equals to IPA domain name when "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"using hostgroups)."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "Configuring SSSD to fetch sudo rules"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"All configuration that is needed on SSSD side is to extend the list of "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"<emphasis>services</emphasis> with \"sudo\" in [sssd] section of "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"The following example shows how to configure SSSD to download sudo rules "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"from an LDAP server."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><programlisting>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"config_file_version = 2\n"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"services = nss, pam, sudo\n"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"domains = EXAMPLE\n"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"id_provider = ldap\n"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"sudo_provider = ldap\n"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"ldap_uri = ldap://example.com\n"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"<placeholder type=\"programlisting\" id=\"0\"/> <phrase condition="
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"\"have_systemd\"> It's important to note that on platforms where systemd is "
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"supported there's no need to add the \"sudo\" provider to the list of "
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"services, as it became optional. However, sssd-sudo.socket must be enabled "
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"instead. </phrase>"
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"When SSSD is configured to use IPA as the ID provider, the sudo provider is "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"automatically enabled. The sudo search base is configured to use the IPA "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"sssd.conf, this value will be used instead. The compat tree (ou=sudoers,"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"$SUFFIX) is no longer required for IPA sudo functionality."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "The SUDO rule caching mechanism"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"The biggest challenge, when developing sudo support in SSSD, was to ensure "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"that running sudo with SSSD as the data source provides the same user "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"experience and is as fast as sudo but keeps providing the most current set "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"of rules as possible. To satisfy these requirements, SSSD uses three kinds "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"of updates. They are referred to as full refresh, smart refresh and rules "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"The <emphasis>smart refresh</emphasis> periodically downloads rules that are "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"new or were modified after the last update. Its primary goal is to keep the "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"database growing by fetching only small increments that do not generate "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"large amounts of network traffic."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"in the cache and replaces them with all rules that are stored on the server. "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"This is used to keep the cache consistent by removing every rule which was "
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"deleted from the server. However, full refresh may produce a lot of traffic "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"and thus it should be run only occasionally depending on the size and "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"stability of the sudo rules."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"more permission than defined. It is triggered each time the user runs sudo. "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"Rules refresh will find all rules that apply to this user, check their "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"expiration time and redownload them if expired. In the case that any of "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"these rules are missing on the server, the SSSD will do an out of band full "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"refresh because more rules (that apply to other users) may have been deleted."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"If enabled, SSSD will store only rules that can be applied to this machine. "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"This means rules that contain one of the following values in "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<emphasis>sudoHost</emphasis> attribute:"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "keyword ALL"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozekmsgid "wildcard"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "netgroup (in the form \"+netgroup\")"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "hostname or fully qualified domain name of this machine"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "one of the IP addresses of this machine"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "one of the IP addresses of the network (in the form \"address/mask\")"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"There are many configuration options that can be used to adjust the "
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "System Security Services Daemon"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sssd</command> <arg choice='opt'> <replaceable>options</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable> </arg>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>SSSD</command> provides a set of daemons to manage access to remote "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"directories and authentication mechanisms. It provides an NSS and PAM "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"interface toward the system and a pluggable backend system to connect to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"multiple different account sources as well as D-Bus interface. It is also "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"the basis to provide client auditing and policy services for projects like "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"FreeIPA. It provides a more robust database to store local users as well as "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"extended user data."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<emphasis>0</emphasis>: Disable microseconds in timestamp"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>-f</option>,<option>--debug-to-files</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Send the debug output to files instead of stderr. By default, the log files "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"are stored in <filename>/var/log/sssd</filename> and there are separate log "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"files for every SSSD service and domain."
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"This option is deprecated. It is replaced by <option>--logger=files</option>."
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozekmsgid "<option>--logger=</option><replaceable>value</replaceable>"
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"Location where SSSD will send log messages. This option overrides the value "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"of the deprecated option <option>--debug-to-files</option>. The deprecated "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"option will still work if the <option>--logger</option> is not used."
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"<emphasis>stderr</emphasis>: Redirect debug messages to standard error "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"<emphasis>files</emphasis>: Redirect debug messages to the log files. By "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"default, the log files are stored in <filename>/var/log/sssd</filename> and "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"there are separate log files for every SSSD service and domain."
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>-D</option>,<option>--daemon</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Become a daemon after starting up."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>-i</option>,<option>--interactive</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Run in the foreground, don't become a daemon."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>-c</option>,<option>--config</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specify a non-default config file. The default is <filename>/etc/sssd/sssd."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"conf</filename>. For reference on the config file syntax and options, "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<manvolnum>5</manvolnum> </citerefentry> manual page."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>--version</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Print version number and exit."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Signals"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Informs the SSSD to gracefully terminate all of its child processes and then "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"shut down the monitor."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "SIGHUP"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Tells the SSSD to stop writing to its current debug file descriptors and to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"close and reopen them. This is meant to facilitate log rolling with programs "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"like logrotate."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "SIGUSR1"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"Tells the SSSD to simulate offline operation for the duration of the "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"<quote>offline_timeout</quote> parameter. This is useful for testing. The "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"signal can be sent to either the sssd process or any sssd_be process "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "SIGUSR2"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"Tells the SSSD to go online immediately. This is useful for testing. The "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"signal can be sent to either the sssd process or any sssd_be process "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"applications will not use the fast in memory cache."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "sss_obfuscate"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "obfuscate a clear text password"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable></arg>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sss_obfuscate</command> converts a given password into human-"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"unreadable format and places it into appropriate domain section of the SSSD "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"config file."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The cleartext password is read from standard input or entered "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"interactively. The obfuscated password is put into "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<quote>ldap_default_authtok_type</quote> parameter is set to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<quote>obfuscated_password</quote>. Refer to <citerefentry> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"citerefentry> for more details on these parameters."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Please note that obfuscating the password provides <emphasis>no real "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"security benefit</emphasis> as it is still possible for an attacker to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"reverse-engineer the password back. Using better authentication mechanisms "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>-s</option>,<option>--stdin</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The password to obfuscate will be read from standard input."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:70
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The SSSD domain to use the password in. The default name is <quote>default</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Read the config file specified by the positional parameter."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: <filename>/etc/sssd/sssd.conf</filename>"
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozekmsgid "sss_override"
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozekmsgid "create local overrides of user and group attributes"
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek"<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</"
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </"
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek"<command>sss_override</command> enables to create a client-side view and "
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek"allows to change selected values of specific user and groups. This change "
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek"takes effect only on local machine."
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"Overrides data are stored in the SSSD cache. If the cache is deleted, all "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"local overrides are lost. Please note that after the first override is "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"created using any of the following <emphasis>user-add</emphasis>, "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"<emphasis>group-import</emphasis> command. SSSD needs to be restarted to "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"take effect. <emphasis>sss_override</emphasis> prints message when a "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"restart is required."
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozekmsgid "AVAILABLE COMMANDS"
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek"Argument <emphasis>NAME</emphasis> is the name of original object in all "
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek"commands. It is not possible to override <emphasis>uid</emphasis> or "
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek"<emphasis>gid</emphasis> to 0."
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek"<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--"
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek"name</option> NAME</optional> <optional><option>-u,--uid</option> UID</"
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek"optional> <optional><option>-g,--gid</option> GID</optional> "
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek"<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--"
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek"shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</"
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"optional> <optional><option>-x,--certificate</option> BASE64 ENCODED "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"CERTIFICATE</optional>"
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"Override attributes of an user. Please be aware that calling this command "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"will replace any previous override for the (NAMEd) user."
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozekmsgid "<option>user-del</option> <emphasis>NAME</emphasis>"
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"Remove user overrides. However be aware that overridden attributes might be "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"returned from memory cache. Please see SSSD option "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"<emphasis>memcache_timeout</emphasis> for more details."
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</"
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"is set, only users from the domain are listed."
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozekmsgid "<option>user-show</option> <emphasis>NAME</emphasis>"
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozekmsgid "Show user overrides."
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozekmsgid "<option>user-import</option> <emphasis>FILE</emphasis>"
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek"Import user overrides from <emphasis>FILE</emphasis>. Data format is "
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek"similar to standard passwd file. The format is:"
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozekmsgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate"
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek"where original_name is original name of the user whose attributes should be "
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek"overridden. The rest of fields correspond to new values. You can omit a "
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek"value simply by leaving corresponding field empty."
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozekmsgid "ckent:superman::::::"
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozekmsgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:"
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozekmsgid "<option>user-export</option> <emphasis>FILE</emphasis>"
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek"Export all overridden attributes and store them in <emphasis>FILE</"
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek"emphasis>. See <emphasis>user-import</emphasis> for data format."
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek"<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--"
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek"name</option> NAME</optional> <optional><option>-g,--gid</option> GID</"
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"Override attributes of a group. Please be aware that calling this command "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"will replace any previous override for the (NAMEd) group."
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozekmsgid "<option>group-del</option> <emphasis>NAME</emphasis>"
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"Remove group overrides. However be aware that overridden attributes might be "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"returned from memory cache. Please see SSSD option "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"<emphasis>memcache_timeout</emphasis> for more details."
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</"
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"List all groups with set overrides. If <emphasis>DOMAIN</emphasis> "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"parameter is set, only groups from the domain are listed."
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozekmsgid "<option>group-show</option> <emphasis>NAME</emphasis>"
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozekmsgid "Show group overrides."
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozekmsgid "<option>group-import</option> <emphasis>FILE</emphasis>"
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek"Import group overrides from <emphasis>FILE</emphasis>. Data format is "
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek"similar to standard group file. The format is:"
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozekmsgid "original_name:name:gid"
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek"where original_name is original name of the group whose attributes should be "
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek"overridden. The rest of fields correspond to new values. You can omit a "
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek"value simply by leaving corresponding field empty."
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozekmsgid "admins:administrators:"
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozekmsgid "Domain Users:Users:501"
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozekmsgid "<option>group-export</option> <emphasis>FILE</emphasis>"
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek"Export all overridden attributes and store them in <emphasis>FILE</"
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek"emphasis>. See <emphasis>group-import</emphasis> for data format."
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozekmsgid "COMMON OPTIONS"
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozekmsgid "Those options are available with all commands."
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozekmsgid "<option>--debug</option> <replaceable>LEVEL</replaceable>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "sss_useradd"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "create a new user"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sss_useradd</command> creates a new user account using the values "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"specified on the command line plus the default values from the system."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Set the UID of the user to the value of <replaceable>UID</replaceable>. If "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"not given, it is chosen automatically."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Any text string describing the user. Often used as the field for the user's "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The home directory of the user account. The default is to append the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"that as the home directory. The base that is prepended before "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"baseDirectory</quote> setting in sssd.conf."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The user's login shell. The default is currently <filename>/bin/bash</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"filename>. The default can be changed with <quote>user_defaults/"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"defaultShell</quote> setting in sssd.conf."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "A list of existing groups this user is also a member of."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>-m</option>,<option>--create-home</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Create the user's home directory if it does not exist. The files and "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"directories contained in the skeleton directory (which can be defined with "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"the -k option or in the config file) will be copied to the home directory."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>-M</option>,<option>--no-create-home</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Do not create the user's home directory. Overrides configuration settings."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The skeleton directory, which contains files and directories to be copied in "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"the user's home directory, when the home directory is created by "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sss_useradd</command>."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
d6d50c17e94dc0d3000345e8a933311c14bbb828Jakub Hrozek"Special files (block devices, character devices, named pipes and unix "
d6d50c17e94dc0d3000345e8a933311c14bbb828Jakub Hrozek"sockets) will not be copied."
d6d50c17e94dc0d3000345e8a933311c14bbb828Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This option is only valid if the <option>-m</option> (or <option>--create-"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"home</option>) option is specified, or creation of home directories is set "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"to TRUE in the configuration."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<option>-Z</option>,<option>--selinux-user</option> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<replaceable>SELINUX_USER</replaceable>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The SELinux user for the user's login. If not specified, the system default "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"will be used."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "sssd-krb5"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "SSSD Kerberos provider"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This manual page describes the configuration of the Kerberos 5 "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"authentication backend for <citerefentry> <refentrytitle>sssd</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"manvolnum> </citerefentry> manual page."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The Kerberos 5 authentication backend contains auth and chpass providers. It "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"must be paired with an identity provider in order to function properly (for "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"example, id_provider = ldap). Some information required by the Kerberos 5 "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"authentication backend must be provided by the identity provider, such as "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"the user's Kerberos Principal Name (UPN). The configuration of the identity "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"provider should have an entry to specify the UPN. Please refer to the man "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"page for the applicable identity provider for details on how to configure "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This backend also provides access control based on the .k5login file in the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"home directory of the user. See <citerefentry> <refentrytitle>.k5login</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Please note that an empty .k5login file will deny all access to this user. "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"To activate this feature, use 'access_provider = krb5' in your SSSD "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"configuration."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"In the case where the UPN is not available in the identity backend, "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sssd</command> will construct a UPN using the format "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>."
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"Specifies the comma-separated list of IP addresses or hostnames of the "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"Kerberos servers to which SSSD should connect, in the order of preference. "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"For more information on failover and server redundancy, see the "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"colon) may be appended to the addresses or hostnames. If empty, service "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"discovery is enabled; for more information, refer to the <quote>SERVICE "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"DISCOVERY</quote> section."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The name of the Kerberos realm. This option is required and must be "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "krb5_kpasswd, krb5_backup_kpasswd (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"If the change password service is not running on the KDC, alternative "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"servers can be defined here. An optional port number (preceded by a colon) "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"may be appended to the addresses or hostnames."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"For more information on failover and server redundancy, see the "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"servers to try, the backend is not switched to operate offline if "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"authentication against the KDC is still possible."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: Use the KDC"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "krb5_ccachedir (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Directory to store credential caches. All the substitution sequences of "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"krb5_ccname_template can be used here, too, except %d and %P. The directory "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"is created as private and owned by the user, with permissions set to 0700."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: /tmp"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "krb5_ccname_template (string)"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#: sssd-krb5.5.xml:165 include/override_homedir.xml:11
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#: sssd-krb5.5.xml:166 include/override_homedir.xml:12
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozekmsgid "login name"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#: sssd-krb5.5.xml:169 include/override_homedir.xml:15
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "login UID"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "principal name"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "realm name"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "home directory"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#: sssd-krb5.5.xml:187 include/override_homedir.xml:19
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "value of krb5_ccachedir"
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term>
4c9419d98b89a6161a3dde11f9f80be39d12e72aJakub Hrozek#: sssd-krb5.5.xml:193 include/override_homedir.xml:31
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozekmsgid "the process ID of the SSSD client"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term>
4c9419d98b89a6161a3dde11f9f80be39d12e72aJakub Hrozek#: sssd-krb5.5.xml:199 include/override_homedir.xml:49
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
4c9419d98b89a6161a3dde11f9f80be39d12e72aJakub Hrozek#: sssd-krb5.5.xml:200 include/override_homedir.xml:50
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozekmsgid "a literal '%'"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a9228ebcce14888b3123bdf46e610e0900bcd2ccJakub Hrozek"Location of the user's credential cache. Three credential cache types are "
a9228ebcce14888b3123bdf46e610e0900bcd2ccJakub Hrozek"currently supported: <quote>FILE</quote>, <quote>DIR</quote> and "
a9228ebcce14888b3123bdf46e610e0900bcd2ccJakub Hrozek"<quote>KEYRING:persistent</quote>. The cache can be specified either as "
a9228ebcce14888b3123bdf46e610e0900bcd2ccJakub Hrozek"<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which "
a9228ebcce14888b3123bdf46e610e0900bcd2ccJakub Hrozek"implies the <quote>FILE</quote> type. In the template, the following "
a9228ebcce14888b3123bdf46e610e0900bcd2ccJakub Hrozek"sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If "
a9228ebcce14888b3123bdf46e610e0900bcd2ccJakub Hrozek"the template ends with 'XXXXXX' mkstemp(3) is used to create a unique "
a9228ebcce14888b3123bdf46e610e0900bcd2ccJakub Hrozek"filename in a safe way."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a9228ebcce14888b3123bdf46e610e0900bcd2ccJakub Hrozek"When using KEYRING types, the only supported mechanism is <quote>KEYRING:"
a9228ebcce14888b3123bdf46e610e0900bcd2ccJakub Hrozek"persistent:%U</quote>, which uses the Linux kernel keyring to store "
a9228ebcce14888b3123bdf46e610e0900bcd2ccJakub Hrozek"credentials on a per-UID basis. This is also the recommended choice, as it "
a9228ebcce14888b3123bdf46e610e0900bcd2ccJakub Hrozek"is the most secure and predictable method."
a9228ebcce14888b3123bdf46e610e0900bcd2ccJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a9228ebcce14888b3123bdf46e610e0900bcd2ccJakub Hrozek"The default value for the credential cache name is sourced from the profile "
a9228ebcce14888b3123bdf46e610e0900bcd2ccJakub Hrozek"stored in the system wide krb5.conf configuration file in the [libdefaults] "
a9228ebcce14888b3123bdf46e610e0900bcd2ccJakub Hrozek"section. The option name is default_ccache_name. See krb5.conf(5)'s "
a9228ebcce14888b3123bdf46e610e0900bcd2ccJakub Hrozek"PARAMETER EXPANSION paragraph for additional information on the expansion "
a9228ebcce14888b3123bdf46e610e0900bcd2ccJakub Hrozek"format defined by krb5.conf."
a9228ebcce14888b3123bdf46e610e0900bcd2ccJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"NOTE: Please be aware that libkrb5 ccache expansion template from "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</"
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"manvolnum> </citerefentry> uses different expansion sequences than SSSD."
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a9228ebcce14888b3123bdf46e610e0900bcd2ccJakub Hrozekmsgid "Default: (from libkrb5)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "krb5_auth_timeout (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"Timeout in seconds after an online authentication request or change password "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"request is aborted. If possible, the authentication request is continued "
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozekmsgid "krb5_validate (boolean)"
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"Verify with the help of krb5_keytab that the TGT obtained has not been "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"spoofed. The keytab is checked for entries sequentially, and the first entry "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"with a matching realm is used for validation. If no entry matches the realm, "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"the last entry in the keytab is used. This process can be used to validate "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"environments using cross-realm trust by placing the appropriate keytab entry "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"as the last entry or the only entry in the keytab file."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "krb5_keytab (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The location of the keytab to use when validating credentials obtained from "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: /etc/krb5.keytab"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "krb5_store_password_if_offline (boolean)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Store the password of the user if the provider is offline and use it to "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"request a TGT when the provider comes online again."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"NOTE: this feature is only available on Linux. Passwords stored in this way "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"are kept in plaintext in the kernel keyring and are potentially accessible "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"by the root user (with difficulty)."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "krb5_renewable_lifetime (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"Request a renewable ticket with a total lifetime, given as an integer "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"immediately followed by a time unit:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek#: sssd-krb5.5.xml:314 sssd-krb5.5.xml:348 sssd-krb5.5.xml:385
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozekmsgid "<emphasis>s</emphasis> for seconds"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek#: sssd-krb5.5.xml:317 sssd-krb5.5.xml:351 sssd-krb5.5.xml:388
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozekmsgid "<emphasis>m</emphasis> for minutes"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek#: sssd-krb5.5.xml:320 sssd-krb5.5.xml:354 sssd-krb5.5.xml:391
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozekmsgid "<emphasis>h</emphasis> for hours"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek#: sssd-krb5.5.xml:323 sssd-krb5.5.xml:357 sssd-krb5.5.xml:394
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozekmsgid "<emphasis>d</emphasis> for days."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozekmsgid "If there is no unit given, <emphasis>s</emphasis> is assumed."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"NOTE: It is not possible to mix units. To set the renewable lifetime to one "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"and a half hours, use '90m' instead of '1h30m'."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: not set, i.e. the TGT is not renewable"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "krb5_lifetime (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"Request ticket with a lifetime, given as an integer immediately followed by "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"a time unit:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozekmsgid "If there is no unit given <emphasis>s</emphasis> is assumed."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"NOTE: It is not possible to mix units. To set the lifetime to one and a "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"half hours please use '90m' instead of '1h30m'."
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Default: not set, i.e. the default ticket lifetime configured on the KDC."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozekmsgid "krb5_renew_interval (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The time in seconds between two checks if the TGT should be renewed. TGTs "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"are renewed if about half of their lifetime is exceeded, given as an integer "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"immediately followed by a time unit:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozekmsgid "If this option is not set or is 0 the automatic renewal is disabled."
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozekmsgid "krb5_use_fast (string)"
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"authentication. The following options are supported:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"option at all."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"continue the authentication without it."
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"<emphasis>demand</emphasis> to use FAST. The authentication fails if the "
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"server does not require fast."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: not set, i.e. FAST is not used."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozekmsgid "NOTE: a keytab is required to use FAST."
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If "
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"SSSD is used with an older version of MIT Kerberos, using this option is a "
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"configuration error."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "krb5_fast_principal (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Specifies the server principal to use for FAST."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies if the host and user principal should be canonicalized. This "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"feature is available with MIT Kerberos 1.7 and later versions."
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozekmsgid "krb5_use_enterprise_principal (boolean)"
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"Specifies if the user principal should be treated as enterprise principal. "
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"See section 5 of RFC 6806 for more details about enterprise principals."
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "Default: false (AD provider: true)"
ad805face83ba7d67b1cf2067a1982c7e63d1060Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
ad805face83ba7d67b1cf2067a1982c7e63d1060Jakub Hrozek"The IPA provider will set to option to 'true' if it detects that the server "
ad805face83ba7d67b1cf2067a1982c7e63d1060Jakub Hrozek"is capable of handling enterprise principals and the option is not set "
ad805face83ba7d67b1cf2067a1982c7e63d1060Jakub Hrozek"explicitly in the config file."
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozekmsgid "krb5_map_user (string)"
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"The list of mappings is given as a comma-separated list of pairs "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"<quote>username:primary</quote> where <quote>username</quote> is a UNIX user "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"name and <quote>primary</quote> is a user part of a kerberos principal. This "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"mapping is used when user is authenticating using <quote>auth_provider = "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"krb5</quote>."
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"krb5_realm = REALM\n"
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"krb5_map_user = joe:juser,dick:richard\n"
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"<quote>joe</quote> and <quote>dick</quote> are UNIX user names and "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"If the auth-module krb5 is used in an SSSD domain, the following options "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"must be used. See the <citerefentry> <refentrytitle>sssd.conf</"
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"domain. <placeholder type=\"variablelist\" id=\"0\"/>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The following example assumes that SSSD is correctly configured and FOO is "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"one of the domains in the <replaceable>[sssd]</replaceable> section. This "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"example shows only configuration of Kerberos authentication; it does not "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"include any identity provider."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><programlisting>
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"auth_provider = krb5\n"
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"krb5_server = 192.168.1.1\n"
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"krb5_realm = EXAMPLE.COM\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "sss_groupadd"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "create a new group"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sss_groupadd</command> creates a new group. These groups are "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"compatible with POSIX groups, with the additional feature that they can "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"contain other groups as members."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Set the GID of the group to the value of <replaceable>GID</replaceable>. If "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"not given, it is chosen automatically."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "sss_userdel"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "delete a user account"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sss_userdel</command> deletes a user identified by login name "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<replaceable>LOGIN</replaceable> from the system."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>-r</option>,<option>--remove</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Files in the user's home directory will be removed along with the home "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"directory itself and the user's mail spool. Overrides the configuration."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>-R</option>,<option>--no-remove</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Files in the user's home directory will NOT be removed along with the home "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"directory itself and the user's mail spool. Overrides the configuration."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>-f</option>,<option>--force</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This option forces <command>sss_userdel</command> to remove the user's home "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"directory and mail spool, even if they are not owned by the specified user."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>-k</option>,<option>--kick</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Before actually deleting the user, terminate all his processes."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "sss_groupdel"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "delete a group"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sss_groupdel</command> deletes a group identified by its name "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<replaceable>GROUP</replaceable> from the system."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "sss_groupshow"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "print properties of a group"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sss_groupshow</command> displays information about a group "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"identified by its name <replaceable>GROUP</replaceable>. The information "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"includes the group ID number, members of the group and the parent group."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>-R</option>,<option>--recursive</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Also print indirect group members in a tree-like hierarchy. Note that this "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"also affects printing parent groups - without <option>R</option>, only the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"direct parent will be printed."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "sss_usermod"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "modify a user account"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sss_usermod</command> modifies the account specified by "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<replaceable>LOGIN</replaceable> to reflect the changes that are specified "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"on the command line."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The home directory of the user account."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The user's login shell."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Append this user to groups specified by the <replaceable>GROUPS</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"a comma separated list of group names."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Remove this user from groups specified by the <replaceable>GROUPS</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable> parameter."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>-l</option>,<option>--lock</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Lock the user account. The user won't be able to log in."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>-u</option>,<option>--unlock</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Unlock the user account."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The SELinux user for the user's login."
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozekmsgid "<option>--addattr</option> <replaceable>ATTR_NAME_VAL</replaceable>"
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozekmsgid "Add an attribute/value pair. The format is attrname=value."
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozekmsgid "<option>--setattr</option> <replaceable>ATTR_NAME_VAL</replaceable>"
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek"Set an attribute to a name/value pair. The format is attrname=value. For "
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek"multi-valued attributes, the command replaces the values already present"
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozekmsgid "<option>--delattr</option> <replaceable>ATTR_NAME_VAL</replaceable>"
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozekmsgid "Delete an attribute/value pair. The format is attrname=value."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "sss_cache"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "perform cache cleanup"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable> </arg>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"records are forced to be reloaded from server as soon as related SSSD "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"backend is online. Options that invalidate a single object only accept a "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"single provided argument."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
d6d50c17e94dc0d3000345e8a933311c14bbb828Jakub Hrozekmsgid "<option>-E</option>,<option>--everything</option>"
d6d50c17e94dc0d3000345e8a933311c14bbb828Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
d25fa6f2608d5fe0617ada47f9d426f45deb96ffJakub Hrozekmsgid "Invalidate all cached entries."
d6d50c17e94dc0d3000345e8a933311c14bbb828Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Invalidate specific user."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>-U</option>,<option>--users</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Invalidate all user records. This option overrides invalidation of specific "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"user if it was also set."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Invalidate specific group."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>-G</option>,<option>--groups</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Invalidate all group records. This option overrides invalidation of specific "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"group if it was also set."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Invalidate specific netgroup."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>-N</option>,<option>--netgroups</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Invalidate all netgroup records. This option overrides invalidation of "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"specific netgroup if it was also set."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<option>-s</option>,<option>--service</option> <replaceable>service</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Invalidate specific service."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>-S</option>,<option>--services</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Invalidate all service records. This option overrides invalidation of "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"specific service if it was also set."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Invalidate specific autofs maps."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>-A</option>,<option>--autofs-maps</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Invalidate all autofs maps. This option overrides invalidation of specific "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"map if it was also set."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "Invalidate SSH public keys of a specific host."
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "<option>-H</option>,<option>--ssh-hosts</option>"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"Invalidate SSH public keys of all hosts. This option overrides invalidation "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"of SSH public keys of specific host if it was also set."
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"replaceable>"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozekmsgid "Invalidate particular sudo rule."
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozekmsgid "<option>-R</option>,<option>--sudo-rules</option>"
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"Invalidate all cached sudo rules. This option overrides invalidation of "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"specific sudo rule if it was also set."
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"<option>-d</option>,<option>--domain</option> <replaceable>domain</"
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"replaceable>"
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Restrict invalidation process only to a particular domain."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "sss_debuglevel"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "[DEPRECATED] change debug level while SSSD is running"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable></arg>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"<command>sss_debuglevel</command> is deprecated and replaced by the sssctl "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"debug-level command. Please refer to the <command>sssctl</command> man page "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"for more information on sssctl usage."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "sss_seed"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "seed the SSSD cache with a user"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<command>sss_seed</command> seeds the SSSD cache with a user entry and "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"temporary password. If a user entry is already present in the SSSD cache "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"then the entry is updated with the temporary password."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"replaceable>"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"Provide the name of the domain in which the user is a member of. The domain "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"is also used to retrieve user information. The domain must be configured in "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"Information retrieved from the domain overrides what is provided in the "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<option>-n</option>,<option>--username</option> <replaceable>USER</"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"replaceable>"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"The username of the entry to be created or modified in the cache. The "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<replaceable>USER</replaceable> option must be provided."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "Set the UID of the user to <replaceable>UID</replaceable>."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "Set the GID of the user to <replaceable>GID</replaceable>."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "Set the login shell of the user to <replaceable>SHELL</replaceable>."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"Interactive mode for entering user information. This option will only prompt "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"for information not provided in the options or retrieved from the domain."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"replaceable>"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"Specify file to read user's password from. (if not specified password is "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"prompted for)"
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"The length of the password (or the size of file specified with -p or --"
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"on systems with no globally-defined PASS_MAX value)."
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "sssd-ifp"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "SSSD InfoPipe responder"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"This manual page describes the configuration of the InfoPipe responder for "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page."
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"The InfoPipe responder provides a public D-Bus interface accessible over the "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"system bus. The interface allows the user to query information about remote "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"users and groups over the system bus."
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "These options can be used to configure the InfoPipe responder."
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"Specifies the comma-separated list of UID values or user names that are "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"allowed to access the InfoPipe responder. User names are resolved to UIDs at "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"Default: 0 (only the root user is allowed to access the InfoPipe responder)"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"Please note that although the UID 0 is used as the default it will be "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"overwritten with this option. If you still want to allow the root user to "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"access the InfoPipe responder, which would be the typical case, you have to "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"add 0 to the list of allowed UIDs as well."
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "Specifies the comma-separated list of white or blacklisted attributes."
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "user's login name"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "uidNumber"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "user ID"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "gidNumber"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "primary group ID"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "gecos"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "user information, typically full name"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "homeDirectory"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "loginShell"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "user shell"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"By default, the InfoPipe responder only allows the default set of POSIX "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"attributes to be requested. This set is the same as returned by "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"user_attributes = +telephoneNumber, -loginShell\n"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"It is possible to add another attribute to this set by using <quote>"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"+attr_name</quote> or explicitly remove an attribute using <quote>-"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"deny <quote>loginShell</quote>, you would use the following configuration: "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"<placeholder type=\"programlisting\" id=\"0\"/>"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "Default: not set. Only the default set of POSIX attributes is allowed."
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek"Specifies an upper limit on the number of entries that are downloaded during "
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek"a wildcard lookup that overrides caller-supplied limit."
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
261cdde02b40aa8dabb3d69e43586a5a220647e9Jakub Hrozekmsgid "Default: 0 (let the caller set an upper limit)"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refentryinfo>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "sss_rpcidmapd"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "sss plugin configuration directives for rpc.idmapd"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "CONFIGURATION FILE"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd."
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information."
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "SSS CONFIGURATION EXTENSION"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><title>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "Enable SSS plugin"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"attribute to contain <emphasis>sss</emphasis>."
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><title>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "[sss] config section"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"In order to change the default of one of the configuration attributes of the "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"<emphasis>sss</emphasis> plugin listed below you will need to create a "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"config section for it, named <quote>[sss]</quote>."
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "Configuration attributes"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "memcache (bool)"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "Indicates whether or not to use memcache optimisation technique."
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "SSSD INTEGRATION"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"The attribute <quote>use_fully_qualified_names</quote> must be enabled on "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"all domains (NFSv4 clients expect a fully qualified name to be sent on the "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><programlisting>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"[General]\n"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"Verbosity = 2\n"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"# domain must be synced between NFSv4 server and clients\n"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"# Solaris/Illumos/AIX use \"localdomain\" as default!\n"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"Domain = default\n"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"[Mapping]\n"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"Nobody-User = nfsnobody\n"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"Nobody-Group = nfsnobody\n"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"[Translation]\n"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"Method = sss\n"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"The following example shows a minimal idmapd.conf which makes use of the sss "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"plugin. <placeholder type=\"programlisting\" id=\"0\"/>"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <refsect1><title>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:180 include/seealso.xml:2
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozekmsgid "SEE ALSO"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"<manvolnum>5</manvolnum> </citerefentry>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "sss_ssh_authorizedkeys"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refmeta><manvolnum>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "get OpenSSH authorized keys"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<replaceable>options</replaceable> </arg> <arg "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"choice='plain'><replaceable>USER</replaceable></arg>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"citerefentry> for more information)."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"command> for public key user authentication if it is compiled with support "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"for <quote>AuthorizedKeysCommand</quote> option. Please refer to the "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</"
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"manvolnum></citerefentry> man page for more details about this option."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><programlisting>
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek" AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n"
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek" AuthorizedKeysCommandUser nobody\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If <quote>AuthorizedKeysCommand</quote> is supported, "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></"
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"citerefentry> can be configured to use it by putting the following "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"<manvolnum>5</manvolnum></citerefentry>: <placeholder type=\"programlisting"
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"\" id=\"0\"/>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>."
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#: sss_ssh_authorizedkeys.1.xml:84 sss_ssh_knownhostsproxy.1.xml:92
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozekmsgid "EXIT STATUS"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#: sss_ssh_authorizedkeys.1.xml:86 sss_ssh_knownhostsproxy.1.xml:94
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "sss_ssh_knownhostsproxy"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "get OpenSSH host keys"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<replaceable>options</replaceable> </arg> <arg "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"choice='plain'><replaceable>HOST</replaceable></arg> <arg "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/"
ad805face83ba7d67b1cf2067a1982c7e63d1060Jakub Hrozek"pubconf/known_hosts</filename> and establishes the connection to the host."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"create the connection to the host instead of opening a socket."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><programlisting>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"command> for host key authentication by using the following directives for "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Use port <replaceable>PORT</replaceable> to connect to the host. By "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"default, port 22 is used."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>."
a86d6cd05e3f823214587475b83d907f394c035eJakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
a86d6cd05e3f823214587475b83d907f394c035eJakub Hrozekmsgid "idmap_sss"
a86d6cd05e3f823214587475b83d907f394c035eJakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "SSSD's idmap_sss Backend for Winbind"
a86d6cd05e3f823214587475b83d907f394c035eJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
a86d6cd05e3f823214587475b83d907f394c035eJakub Hrozek"The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. "
a86d6cd05e3f823214587475b83d907f394c035eJakub Hrozek"No database is required in this case as the mapping is done by SSSD."
a86d6cd05e3f823214587475b83d907f394c035eJakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
a86d6cd05e3f823214587475b83d907f394c035eJakub Hrozekmsgid "IDMAP OPTIONS"
a86d6cd05e3f823214587475b83d907f394c035eJakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
a86d6cd05e3f823214587475b83d907f394c035eJakub Hrozekmsgid "range = low - high"
a86d6cd05e3f823214587475b83d907f394c035eJakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"Defines the available matching UID and GID range for which the backend is "
a86d6cd05e3f823214587475b83d907f394c035eJakub Hrozek"authoritative."
a86d6cd05e3f823214587475b83d907f394c035eJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
a86d6cd05e3f823214587475b83d907f394c035eJakub Hrozek"This example shows how to configure idmap_sss as the default mapping module."
a86d6cd05e3f823214587475b83d907f394c035eJakub Hrozek#. type: Content of: <reference><refentry><refsect1><programlisting>
d25fa6f2608d5fe0617ada47f9d426f45deb96ffJakub Hrozek"security = domain\n"
d25fa6f2608d5fe0617ada47f9d426f45deb96ffJakub Hrozek"workgroup = MAIN\n"
d25fa6f2608d5fe0617ada47f9d426f45deb96ffJakub Hrozek"idmap config * : backend = sss\n"
d25fa6f2608d5fe0617ada47f9d426f45deb96ffJakub Hrozek"idmap config * : range = 200000-2147483647\n"
d25fa6f2608d5fe0617ada47f9d426f45deb96ffJakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
d25fa6f2608d5fe0617ada47f9d426f45deb96ffJakub Hrozekmsgid "sssctl"
d25fa6f2608d5fe0617ada47f9d426f45deb96ffJakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
d25fa6f2608d5fe0617ada47f9d426f45deb96ffJakub Hrozekmsgid "SSSD control and status utility"
d25fa6f2608d5fe0617ada47f9d426f45deb96ffJakub Hrozek#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
d25fa6f2608d5fe0617ada47f9d426f45deb96ffJakub Hrozek"<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</"
d25fa6f2608d5fe0617ada47f9d426f45deb96ffJakub Hrozek"replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </"
d25fa6f2608d5fe0617ada47f9d426f45deb96ffJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
ad805face83ba7d67b1cf2067a1982c7e63d1060Jakub Hrozek"<command>sssctl</command> provides a simple and unified way to obtain "
ad805face83ba7d67b1cf2067a1982c7e63d1060Jakub Hrozek"information about SSSD status, such as active server, auto-discovered "
ad805face83ba7d67b1cf2067a1982c7e63d1060Jakub Hrozek"servers, domains and cached objects. In addition, it can manage SSSD data "
ad805face83ba7d67b1cf2067a1982c7e63d1060Jakub Hrozek"files for troubleshooting in such a way that is safe to manipulate while "
ad805face83ba7d67b1cf2067a1982c7e63d1060Jakub Hrozek"SSSD is running."
d25fa6f2608d5fe0617ada47f9d426f45deb96ffJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
d25fa6f2608d5fe0617ada47f9d426f45deb96ffJakub Hrozek"To list all available commands run <command>sssctl</command> without any "
ad805face83ba7d67b1cf2067a1982c7e63d1060Jakub Hrozek"parameters. To print help for selected command run <command>sssctl COMMAND --"
d25fa6f2608d5fe0617ada47f9d426f45deb96ffJakub Hrozek"help</command>."
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozekmsgid "sssd-files"
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozekmsgid "SSSD files provider"
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek"This manual page describes the files provider for <citerefentry> "
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </"
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek"citerefentry>. For a detailed syntax reference, refer to the <quote>FILE "
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</"
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page."
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek"The files provider mirrors the content of the <citerefentry> "
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek"<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </"
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek"citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> "
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek"<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files "
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek"provider is to make the users and groups traditionally only accessible with "
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek"NSS interfaces also available through the SSSD interfaces such as "
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</"
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek"manvolnum> </citerefentry>."
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek"The files provider has no specific options of its own, however, generic SSSD "
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek"domain options can be set where applicable. Refer to the section "
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek"<quote>DOMAIN SECTIONS</quote> of the <citerefentry> <refentrytitle>sssd."
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page "
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek"for details on the configuration of an SSSD domain."
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek"The following example assumes that SSSD is correctly configured and files is "
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek"one of the domains in the <replaceable>[sssd]</replaceable> section."
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><programlisting>
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek"id_provider = files\n"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozekmsgid "sssd-secrets"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozekmsgid "SSSD Secrets responder"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"This manual page describes the configuration of the Secrets responder for "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page."
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"Many system and user applications need to store private information such as "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"passwords or service keys and have no good way to properly deal with them. "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"The simple approach is to embed these <quote>secrets</quote> into "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"configuration files potentially ending up exposing sensitive key material to "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"backups, config management system and in general making it harder to secure "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"The <ulink url=\"https://github.com/latchset/custodia\">custodia</ulink> "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"project was born to deal with this problem in cloud like environments, but "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"we found the idea compelling even at a single system level. As a security "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"service, SSSD is ideal to host this capability while offering the same API "
7465d6a1ef6e83825dba3a4dc4dda7271671aba0Jakub Hrozek"via a UNIX Socket. This will make it possible to use local calls and have "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"them transparently routed to a local or a remote key management store like "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"IPA Vault for storage, escrow and recovery."
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"The secrets are simple key-value pairs. Each user's secrets are namespaced "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"using their user ID, which means the secrets will never collide between "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"users. Secrets can be stored inside <quote>containers</quote> which can be "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "secrets"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "secrets for general usage"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"used by the <citerefentry> <refentrytitle>sssd-kcm</refentrytitle> "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"<manvolnum>8</manvolnum> </citerefentry> service."
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"Since the secrets responder can be used both externally to store general "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"secrets, as described in the rest of this man page, but also internally by "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"other SSSD components to store their secret material, some configuration "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"options, like quotas can be configured per <quote>hive</quote> in a "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"configuration subsection named after the hive. The currently supported hives "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"are: <placeholder type=\"variablelist\" id=\"0\"/>"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozekmsgid "USING THE SECRETS RESPONDER"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"The UNIX socket the SSSD responder listens on is located at <filename>/var/"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><programlisting>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"systemctl start sssd-secrets.socket\n"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"systemctl enable sssd-secrets.socket\n"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"systemctl enable sssd-secrets.service\n"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"The secrets responder is socket-activated by <citerefentry> "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"citerefentry>. Unlike other SSSD responders, it cannot be started by adding "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"the <quote>secrets</quote> string to the <quote>service</quote> directive. "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"The systemd socket unit is called <quote>sssd-secrets.socket</quote> and the "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"corresponding service file is called <quote>sssd-secrets.service</quote>. In "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"order for the service to be socket-activated, make sure the socket is "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"enabled and active and the service is enabled: <placeholder type="
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"\"programlisting\" id=\"0\"/> Please note your distribution may already "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"configure the units for you."
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"The generic SSSD responder options such as <quote>debug_level</quote> or "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"<quote>fd_limit</quote> are accepted by the secrets responder. Please refer "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"to the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"manvolnum> </citerefentry> manual page for a complete list. In addition, "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"there are some secrets-specific options as well."
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"The secrets responder is configured with a global <quote>[secrets]</quote> "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"section and an optional per-user <quote>[secrets/users/$uid]</quote> section "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"in <filename>sssd.conf</filename>. Please note that some options, notably as "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"the provider type, can only be specified in the per-user subsections."
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozekmsgid "provider (string)"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozekmsgid "local"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"The secrets are stored in a local database, encrypted at rest with a master "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"key. The local provider does not have any additional config options at the "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozekmsgid "proxy"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"The secrets responder forwards the requests to a Custodia server. The proxy "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"provider supports several additional options (see below)."
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"This option specifies where should the secrets be stored. The secrets "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"responder can configure a per-user subsections (e.g. <quote>[secrets/"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"users/123]</quote> - see bottom of this manual page for a full example using "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"Custodia for a particular user) that define which provider store the secrets "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"for this particular user. The per-user subsections should contain all "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"options for that user's provider. Please note that currently the global "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"provider is always local, the proxy provider can only be specified in a per-"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"user section. The following providers are supported: <placeholder type="
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"\"variablelist\" id=\"0\"/>"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozekmsgid "Default: local"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"The following options affect only the secrets <quote>hive</quote> and "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"therefore should be set in a per-hive subsection. Setting the option to 0 "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"means \"unlimited\"."
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozekmsgid "containers_nest_level (integer)"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozekmsgid "This option specifies the maximum allowed number of nested containers."
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozekmsgid "Default: 4"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozekmsgid "max_secrets (integer)"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"This option specifies the maximum number of secrets that can be stored in "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "Default: 1024 (secrets hive), 256 (kcm hive)"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "max_uid_secrets (integer)"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"This option specifies the maximum number of secrets that can be stored per-"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"UID in the hive."
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "Default: 256 (secrets hive), 64 (kcm hive)"
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozekmsgid "max_payload_size (integer)"
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"This option specifies the maximum payload size allowed for a secret payload "
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"in kilobytes."
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "Default: 16 (secrets hive), 65536 (64 MiB) (kcm hive)"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><programlisting>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"max_payload_size = 128\n"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"max_payload_size = 256\n"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"For example, to adjust quotas differently for both the <quote>secrets</"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"quote> and the <quote>kcm</quote> hives, configure the following: "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"<placeholder type=\"programlisting\" id=\"0\"/>"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"The following options are only applicable for configurations that use the "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"<quote>proxy</quote> provider."
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozekmsgid "proxy_url (string)"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"The URL the Custodia server is listening on. At the moment, http and https "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"protocols are supported."
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozekmsgid "http[s]://<host>[:port]"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozekmsgid "auth_type (string)"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"The method to use when authenticating to a Custodia server. The following "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"authentication methods are supported:"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozekmsgid "basic_auth"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"Authenticate with a username and a password as set in the <quote>username</"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"quote> and <quote>password</quote> options."
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><term>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozekmsgid "header"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><variablelist><varlistentry><listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"Authenticate with HTTP header value as defined in the "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"<quote>auth_header_name</quote> and <quote>auth_header_value</quote> "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"configuration options."
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozekmsgid "auth_header_name (string)"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"If set, the secrets responder would put a header with this name into the "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"HTTP request with the value defined in the <quote>auth_header_value</quote> "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"configuration option."
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozekmsgid "Example: MYSECRETNAME"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozekmsgid "auth_header_value (string)"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"The value sssd-secrets would use for the <quote>auth_header_name</quote>."
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozekmsgid "Example: mysecret"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozekmsgid "forward_headers (list of strings)"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"The list of HTTP headers to forward to the Custodia server together with the "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "verify_peer (boolean)"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"Whether peer's certificate should be verified and valid if HTTPS protocol is "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"used with the proxy provider."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "verify_host (boolean)"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"Whether peer's hostname must match with hostname in its certificate if HTTPS "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"protocol is used with the proxy provider."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "capath (string)"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"Path to directory containing stored certificate authority certificates. "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"System default path is used if this option is not set."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "cacert (string)"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"Path to file containing server's certificate authority certificate. If this "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"option is not set then the CA's certificate is looked up in <quote>capath</"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "cert (string)"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"Path to file containing client's certificate if required by the server. This "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"file may also contain private key or the private key may be in separate file "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"set with <quote>key</quote>."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "key (string)"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "Path to file containing client's private key."
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozekmsgid "USING THE REST API"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"This section lists the available commands and includes examples using the "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"<citerefentry> <refentrytitle>curl</refentrytitle> <manvolnum>1</manvolnum> "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"</citerefentry> utility. All requests towards the proxy provider must set "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"the Content Type header to <quote>application/json</quote>. In addition, the "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"local provider also supports Content Type set to <quote>application/octet-"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"stream</quote>. Secrets stored with requests that set the Content Type "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"header to <quote>application/octet-stream</quote> are base64-encoded when "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"stored and decoded when retrieved, so it's not possible to store a secret "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"with one Content Type and retrieve with another. The secret URI must begin "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"with <filename>/secrets/</filename>."
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozekmsgid "Listing secrets"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"To list the available secrets, send a HTTP GET request with a trailing slash "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"appended to the container path."
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"curl -H \"Content-Type: application/json\" \\\n"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek" --unix-socket /var/run/secrets.socket \\\n"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozekmsgid "Retrieving a secret"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"To read a value of a single secret, send a HTTP GET request without a "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"trailing slash. The last portion of the URI is the name of the secret."
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"curl -H \"Content-Type: application/json\" \\\n"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek" --unix-socket /var/run/secrets.socket \\\n"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"curl -H \"Content-Type: application/octet-stream\" \\\n"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek" --unix-socket /var/run/secrets.socket \\\n"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"Examples: <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type="
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"\"programlisting\" id=\"1\"/>"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozekmsgid "Setting a secret"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"To set a secret using the <quote>application/json</quote> type, send a HTTP "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"PUT request with a JSON payload that includes type and value. The type "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"should be set to \"simple\" and the value should be set to the secret value. "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"If a secret with that name already exists, the response is a 409 HTTP error."
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"The <quote>application/json</quote> type just sends the secret as the "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"message payload."
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"curl -H \"Content-Type: application/json\" \\\n"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek" --unix-socket /var/run/secrets.socket \\\n"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek" -d'{\"type\":\"simple\",\"value\":\"foosecret\"}'\n"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"curl -H \"Content-Type: application/octet-stream\" \\\n"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek" --unix-socket /var/run/secrets.socket \\\n"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek" -d'barsecret'\n"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"The following example sets a secret named 'foo' to a value of 'foosecret' "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"and a secret named 'bar' to a value of 'barsecret' using a different Content "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"Type. <placeholder type=\"programlisting\" id=\"0\"/> <placeholder type="
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"\"programlisting\" id=\"1\"/>"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozekmsgid "Creating a container"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"Containers provide an additional namespace for this user's secrets. To "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"create a container, send a HTTP POST request, whose URI ends with the "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"container name. Please note the URI must end with a trailing slash."
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"curl -H \"Content-Type: application/json\" \\\n"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek" --unix-socket /var/run/secrets.socket \\\n"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek" -XPOST http://localhost/secrets/mycontainer/\n"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"The following example creates a container named 'mycontainer': <placeholder "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"type=\"programlisting\" id=\"0\"/>"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"http://localhost/secrets/mycontainer/mysecret\n"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"To manipulate secrets under this container, just nest the secrets underneath "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"the container path: <placeholder type=\"programlisting\" id=\"0\"/>"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozekmsgid "Deleting a secret or a container"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"To delete a secret or a container, send a HTTP DELETE request with a path to "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"the secret or the container."
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"curl -H \"Content-Type: application/json\" \\\n"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek" --unix-socket /var/run/secrets.socket \\\n"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"The following example deletes a secret named 'foo'. <placeholder type="
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"\"programlisting\" id=\"0\"/>"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozekmsgid "EXAMPLE CUSTODIA AND PROXY PROVIDER CONFIGURATION"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"For testing the proxy provider, you need to set up a Custodia server to "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"proxy requests to. Please always consult the Custodia documentation, the "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"configuration directives might change with different Custodia versions."
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><programlisting>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"server_version = \"Secret/0.0.7\"\n"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"debug = True\n"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"[store:simple]\n"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"table = secrets\n"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"[auth:header]\n"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"handler = custodia.httpd.authenticators.SimpleHeaderAuth\n"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"header = MYSECRETNAME\n"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"value = mysecretkey\n"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"[authz:paths]\n"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"handler = custodia.httpd.authorizers.SimplePathAuthz\n"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"paths = /secrets\n"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"store = simple\n"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"This configuration will set up a Custodia server listening on http://"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"localhost:8080, allowing anyone with header named MYSECRETNAME set to "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"mysecretkey to communicate with the Custodia server. Place the contents "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"into a file (for example, <replaceable>custodia.conf</replaceable>): "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"<placeholder type=\"programlisting\" id=\"0\"/>"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"Then run the <replaceable>custodia</replaceable> command, pointing it at the "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"config file as a command line argument."
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"Please note that currently it's not possible to proxy all requests globally "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"to a Custodia instance. Instead, per-user subsections for user IDs that "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"should proxy requests to Custodia must be defined. The following example "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"illustrates a configuration, where the user with UID 123 would proxy their "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"requests to Custodia, but all other user's requests would be handled by a "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"local provider."
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><programlisting>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"[secrets]\n"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"provider = proxy\n"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"auth_type = header\n"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"auth_header_name = MYSECRETNAME\n"
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"auth_header_value = mysecretkey\n"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "sssd-session-recording"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "Configuring session recording with SSSD"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"This manual page describes how to configure <citerefentry> "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"implement user session recording on text terminals. For a detailed "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"configuration syntax reference, refer to the <quote>FILE FORMAT</quote> "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"<manvolnum>5</manvolnum> </citerefentry> manual page."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"SSSD can be set up to enable recording of everything specific users see or "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"type during their sessions on text terminals. E.g. when users log in on the "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"console, or via SSH. SSSD itself doesn't record anything, but makes sure "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"tlog-rec-session is started upon user login, so it can record according to "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"its configuration."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"For users with session recording enabled, SSSD replaces the user shell with "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"tlog-rec-session in NSS responses, and adds a variable specifying the "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"original shell to the user environment, upon PAM session setup. This way "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"tlog-rec-session can be started in place of the user shell, and know which "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"actual shell to start, once it set up the recording."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "These options can be used to configure the session recording."
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"The following snippet of sssd.conf enables session recording for users "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"\"contractor1\" and \"contractor2\", and group \"students\"."
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><programlisting>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"[session_recording]\n"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"scope = some\n"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"users = contractor1, contractor2\n"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"groups = students\n"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "sssd-kcm"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "SSSD Kerberos Cache Manager"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"This manual page describes the configuration of the SSSD Kerberos Cache "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"Manager (KCM). KCM is a process that stores, tracks and manages Kerberos "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"credential caches. It originates in the Heimdal Kerberos project, although "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"the MIT Kerberos library also provides client side (more details on that "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"below) support for the KCM credential cache."
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"In a setup where Kerberos caches are managed by KCM, the Kerberos library "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"(typically used through an application, like e.g., <citerefentry> "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"being referred to as a <quote>\"KCM server\"</quote>. The client and server "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"communicate over a UNIX socket."
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"The KCM server keeps track of each credential caches's owner and performs "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"access check control based on the UID and GID of the KCM client. The root "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"user has access to all credential caches."
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "The KCM credential cache has several interesting properties:"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"since the process runs in userspace, it is subject to UID namespacing, "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"unlike the kernel keyring"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"unlike the kernel keyring-based cache, which is shared between all "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"containers, the KCM server is a separate process whose entry point is a UNIX "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"the SSSD implementation stores the ccaches in the SSSD <citerefentry> "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"<refentrytitle>sssd-secrets</refentrytitle><manvolnum>5</manvolnum> </"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"citerefentry> secrets store, allowing the ccaches to survive KCM server "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"restarts or machine reboots."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"This allows the system to use a collection-aware credential cache, yet share "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"the credential cache between some or no containers by bind-mounting the "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "USING THE KCM CREDENTIAL CACHE"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><programlisting>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"[libdefaults]\n"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek" default_ccache_name = KCM:\n"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"In order to use KCM credential cache, it must be selected as the default "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"credential type in <citerefentry> <refentrytitle>krb5.conf</"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"cache name must be only <quote>KCM:</quote> without any template "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"Next, make sure the Kerberos client libraries and the KCM server must agree "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"on the UNIX socket path. By default, both use the same path <replaceable>/"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"library, change its <quote>kcm_socket</quote> option which is described in "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"manvolnum> </citerefentry> manual page."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><programlisting>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"systemctl start sssd-kcm.socket\n"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"systemctl enable sssd-kcm.socket\n"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"Finally, make sure the SSSD KCM server can be contacted. The KCM service is "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"typically socket-activated by <citerefentry> <refentrytitle>systemd</"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"services, it cannot be started by adding the <quote>kcm</quote> string to "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"the <quote>service</quote> directive. <placeholder type=\"programlisting\" "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"id=\"0\"/> Please note your distribution may already configure the units for "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "THE CREDENTIAL CACHE STORAGE"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><programlisting>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"systemctl start sssd-secrets.socket\n"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"systemctl enable sssd-secrets.socket\n"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"The credential caches are stored in the SSSD secrets service (see "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"<citerefentry> <refentrytitle>sssd-secrets</refentrytitle><manvolnum>5</"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"manvolnum> </citerefentry> for more details). Therefore it is important that "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"also the sssd-secrets service is enabled and its socket is started: "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"<placeholder type=\"programlisting\" id=\"0\"/> Your distribution should "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"already set the dependencies between the services."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"The KCM service is configured in the <quote>kcm</quote> section of the sssd."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"conf file. Please note that currently, is it not sufficient to restart the "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"sssd-kcm service, because the sssd configuration is only parsed and read to "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"an internal configuration database by the sssd service. Therefore you must "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"restart the sssd service if you change anything in the <quote>kcm</quote> "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"section of sssd.conf. For a detailed syntax reference, refer to the "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"<quote>FILE FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"The generic SSSD service options such as <quote>debug_level</quote> or "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"<quote>fd_limit</quote> are accepted by the kcm service. Please refer to "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"manvolnum> </citerefentry> manual page for a complete list. In addition, "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"there are some KCM-specific options as well."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "socket_path (string)"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "The socket the KCM service will listen on."
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozekmsgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"refentrytitle><manvolnum>5</manvolnum> </citerefentry>,"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "sssd-systemtap"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "SSSD systemtap information"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"This manual page provides information about the systemtap functionality in "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"</citerefentry>."
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"SystemTap Probe points have been added into various locations in SSSD code "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"to assist in troubleshooting and analyzing performance related issues."
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"Probes and miscellaneous functions are defined in /usr/share/systemtap/"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"respectively."
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "PROBE POINTS"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:341
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"The information below lists the probe points and arguments available in the "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"following format:"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "probe $name"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "Description of probe point"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"variable1:datatype\n"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"variable2:datatype\n"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"variable3:datatype\n"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><title>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "Database Transaction Probes"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "probe sssd_transaction_start"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"Start of a sysdb transaction, probes the sysdb_transaction_start() function."
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"nesting:integer\n"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"probestr:string\n"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "probe sssd_transaction_cancel"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "probe sssd_transaction_commit_before"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "Probes the sysdb_transaction_commit_before() function."
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "probe sssd_transaction_commit_after"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "Probes the sysdb_transaction_commit_after() function."
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><title>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "LDAP Search Probes"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "probe sdap_search_send"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "Probes the sdap_get_generic_ext_send() function."
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#: sssd-systemtap.5.xml:152 sssd-systemtap.5.xml:167 sssd-systemtap.5.xml:196
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"base:string\n"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"scope:integer\n"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"filter:string\n"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"probestr:string\n"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "probe sdap_search_recv"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "Probes the sdap_get_generic_ext_recv() function."
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "probe sdap_deref_send"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "Probes the sdap_deref_search_send() function."
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"base_dn:string\n"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"deref_attr:string\n"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"probestr:string\n"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "probe sdap_deref_recv"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "Probes the sdap_deref_search_recv() function."
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><title>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "LDAP Account Request Probes"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "probe sdap_acct_req_send"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "Probes the sdap_acct_req_send() function."
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#: sssd-systemtap.5.xml:219 sssd-systemtap.5.xml:234
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"entry_type:int\n"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"filter_type:int\n"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"filter_value:string\n"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"extra_value:string\n"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "probe sdap_acct_req_recv"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "Probes the sdap_acct_req_recv() function."
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><title>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "LDAP User Search Probes"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "probe sdap_search_user_send"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "Probes the sdap_search_user_send() function."
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#: sssd-systemtap.5.xml:257 sssd-systemtap.5.xml:269 sssd-systemtap.5.xml:281
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"filter:string\n"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "probe sdap_search_user_recv"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "Probes the sdap_search_user_recv() function."
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "probe sdap_search_user_save_begin"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "Probes the sdap_search_user_save_begin() function."
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "probe sdap_search_user_save_end"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "Probes the sdap_search_user_save_end() function."
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><title>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "Data Provider Request Probes"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "probe dp_req_send"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "A Data Provider request is submitted."
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"dp_req_domain:string\n"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"dp_req_name:string\n"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"dp_req_target:int\n"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"dp_req_method:int\n"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "probe dp_req_done"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "A Data Provider request is completed."
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"dp_req_name:string\n"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"dp_req_target:int\n"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"dp_req_method:int\n"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"dp_ret:int\n"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"dp_errorstr:string\n"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><title>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "MISCELLANEOUS FUNCTIONS"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "function acct_req_desc(entry_type)"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "Convert entry_type to string and return string"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"function sssd_acct_req_probestr(fc_name, entry_type, filter_type, "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"filter_value, extra_value)"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "Create probe string based on filter type"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "function dp_target_str(target)"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "Convert target to string and return string"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "function dp_method_str(target)"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "Convert method to string and return string"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "SERVICE DISCOVERY"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The service discovery feature allows back ends to automatically find the "
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"appropriate servers to connect to using a special DNS query. This feature is "
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"not supported for backup servers."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><title>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#: include/service_discovery.xml:9 include/ldap_id_mapping.xml:99
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Configuration"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If no servers are specified, the back end automatically uses service "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"discovery to try to find a server. Optionally, the user may choose to use "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"both fixed server addresses and service discovery by inserting a special "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"keyword, <quote>_srv_</quote>, in the list of servers. The order of "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"preference is maintained. This feature is useful if, for example, the user "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"prefers to use service discovery whenever possible, and fall back to a "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"specific server when no servers can be discovered using DNS."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The domain name"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Please refer to the <quote>dns_discovery_domain</quote> parameter in the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"manvolnum> </citerefentry> manual page for more details."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The protocol"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The queries usually specify _tcp as the protocol. Exceptions are documented "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"in respective option description."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "See Also"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"For more information on the service discovery mechanism, refer to RFC 2782."
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek#. type: Content of: <refentryinfo>
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek"<productname>SSSD</productname> <orgname>The SSSD upstream - https://pagure."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: outside any tag (error?)
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<placeholder type=\"refentryinfo\" id=\"0\"/>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "FAILOVER"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The failover feature allows back ends to automatically switch to a different "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"server if the current server fails."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Failover Syntax"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The list of servers is given as a comma-separated list; any number of spaces "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"is allowed around the comma. The servers are listed in order of preference. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The list can contain any number of servers."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <refsect1><refsect2><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"For each failover-enabled config option, two variants exist: "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<emphasis>primary</emphasis> and <emphasis>backup</emphasis>. The idea is "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"that servers in the primary list are preferred and backup servers are only "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"searched if no primary servers can be reached. If a backup server is "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"selected, a timeout of 31 seconds is set. After this timeout SSSD will "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"periodically try to reconnect to one of the primary servers. If it succeeds, "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"it will replace the current active (backup) server."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The Failover Mechanism"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The failover mechanism distinguishes between a machine and a service. The "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"back end first tries to resolve the hostname of a given machine; if this "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"resolution attempt fails, the machine is considered offline. No further "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"attempts are made to connect to this machine for any other service. If the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"resolution attempt succeeds, the back end tries to connect to a service on "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"this machine. If the service connection attempt fails, then only this "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"particular service is considered offline and the back end automatically "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"switches over to the next service. The machine is still considered online "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"and might still be tried for another service."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Further connection attempts are made to machines or services marked as "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"offline after a specified period of time; this is currently hard coded to 30 "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If there are no more machines to try, the back end as a whole switches to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"offline mode, and then attempts to reconnect every 30 seconds."
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <refsect1><refsect2><title>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "Failover time outs and tuning"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <refsect1><refsect2><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"Resolving a server to connect to can be as simple as running a single DNS "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"query or can involve several steps, such as finding the correct site or "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"trying out multiple host names in case some of the configured servers are "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"not reachable. The more complex scenarios can take some time and SSSD needs "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"to balance between providing enough time to finish the resolution process "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"but on the other hand, not trying for too long before falling back to "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"offline mode. If the SSSD debug logs show that the server resolution is "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"timing out before a live server is contacted, you can consider changing the "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "dns_resolver_op_timeout"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "How long would SSSD talk to a single DNS server."
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozekmsgid "dns_resolver_timeout"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"How long would SSSD try to resolve a failover service. This service "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"resolution internally might include several steps, such as resolving DNS SRV "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"queries or locating the site."
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <refsect1><refsect2><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"This section lists the available tunables. Please refer to their description "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"in the <citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"manvolnum> </citerefentry>, manual page. <placeholder type=\"variablelist\" "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek#. type: Content of: <refsect1><refsect2><para>
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"For LDAP-based providers, the resolve operation is performed as part of an "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"LDAP connection operation. Thefore, also the <quote>ldap_opt_timeout></"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"quote> timeout should be set to a larger value than "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"<quote>dns_resolver_timeout</quote> which in turn should be set to a larger "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"value than <quote>dns_resolver_op_timeout</quote>."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ID MAPPING"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The ID-mapping feature allows SSSD to act as a client of Active Directory "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"without requiring administrators to extend user attributes to support POSIX "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"attributes for user and group identifiers."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"NOTE: When ID-mapping is enabled, the uidNumber and gidNumber attributes are "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"ignored. This is to avoid the possibility of conflicts between automatically-"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"assigned and manually-assigned values. If you need to use manually-assigned "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"values, ALL values must be manually-assigned."
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <refsect1><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"Please note that changing the ID mapping related configuration options will "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"cause user and group IDs to change. At the moment, SSSD does not support "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"changing IDs, so the SSSD database must be removed. Because cached passwords "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"are also stored in the database, removing the database should only be "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"performed while the authentication servers are reachable, otherwise users "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"might get locked out. In order to cache the password, an authentication must "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"be performed. It is not sufficient to use <citerefentry> "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> </"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"citerefentry> to remove the database, rather the process consists of:"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <refsect1><para><itemizedlist><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "Making sure the remote servers are reachable"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <refsect1><para><itemizedlist><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "Stopping the SSSD service"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <refsect1><para><itemizedlist><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "Removing the database"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <refsect1><para><itemizedlist><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "Starting the SSSD service"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <refsect1><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"Moreover, as the change of IDs might necessitate the adjustment of other "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"system properties such as file and directory ownership, it's advisable to "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"plan ahead and test the ID mapping configuration thoroughly."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Mapping Algorithm"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Active Directory provides an objectSID for every user and group object in "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"the directory. This objectSID can be broken up into components that "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"represent the Active Directory domain identity and the relative identifier "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"(RID) of the user or group object."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The SSSD ID-mapping algorithm takes a range of available UIDs and divides it "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"into equally-sized component sections - called \"slices\"-. Each slice "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"represents the space available to an Active Directory domain."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"When a user or group entry for a particular domain is encountered for the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"first time, the SSSD allocates one of the available slices for that domain. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"In order to make this slice-assignment repeatable on different client "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"machines, we select the slice based on the following algorithm:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The SID string is passed through the murmurhash3 algorithm to convert it to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"a 32-bit hashed value. We then take the modulus of this value with the total "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"number of available slices to pick the slice."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"NOTE: It is possible to encounter collisions in the hash and subsequent "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"modulus. In these situations, we will select the next available slice, but "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"it may not be possible to reproduce the same exact set of slices on other "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"machines (since the order that they are encountered will determine their "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"slice). In this situation, it is recommended to either switch to using "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"explicit POSIX attributes in Active Directory (disabling ID-mapping) or "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"configure a default domain to guarantee that at least one is always "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"consistent. See <quote>Configuration</quote> for details."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Minimum configuration (in the <quote>[domain/DOMAINNAME]</quote> section):"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><para><programlisting>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"ldap_id_mapping = True\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"ldap_schema = ad\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The default configuration results in configuring 10,000 slices, each capable "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"of holding up to 200,000 IDs, starting from 200,000 and going up to "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"2,000,200,000. This should be sufficient for most deployments."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><refsect3><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Advanced Configuration"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_idmap_range_min (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies the lower bound of the range of POSIX IDs to use for mapping "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Active Directory user and group SIDs."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"NOTE: This option is different from <quote>min_id</quote> in that "
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"<quote>min_id</quote> acts to filter the output of requests to this domain, "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"whereas this option controls the range of ID assignment. This is a subtle "
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"distinction, but the good general advice would be to have <quote>min_id</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"quote> be less-than or equal to <quote>ldap_idmap_range_min</quote>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#: include/ldap_id_mapping.xml:137 include/ldap_id_mapping.xml:191
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozekmsgid "Default: 200000"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_idmap_range_max (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies the upper bound of the range of POSIX IDs to use for mapping "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Active Directory user and group SIDs."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"NOTE: This option is different from <quote>max_id</quote> in that "
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"<quote>max_id</quote> acts to filter the output of requests to this domain, "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"whereas this option controls the range of ID assignment. This is a subtle "
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"distinction, but the good general advice would be to have <quote>max_id</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"quote> be greater-than or equal to <quote>ldap_idmap_range_max</quote>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozekmsgid "Default: 2000200000"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_idmap_range_size (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies the number of IDs available for each slice. If the range size "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"does not divide evenly into the min and max values, it will create as many "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"complete slices as it can."
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"NOTE: The value of this option must be at least as large as the highest user "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"RID planned for use on the Active Directory server. User lookups and login "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"will fail for any user whose RID is greater than this value."
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"For example, if your most recently-added Active Directory user has "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107, "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"<quote>ldap_idmap_range_size</quote> must be at least 1108 as range size is "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"equal to maximal SID minus minimal SID plus one (e.g. 1108 = 1107 - 0 + 1)."
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"It is important to plan ahead for future expansion, as changing this value "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"will result in changing all of the ID mappings on the system, leading to "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"users with different local IDs than they previously had."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_idmap_default_domain_sid (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specify the domain SID of the default domain. This will guarantee that this "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"domain will always be assigned to slice zero in the ID map, bypassing the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"murmurhash algorithm described above."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_idmap_default_domain (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Specify the name of the default domain."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_idmap_autorid_compat (boolean)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Changes the behavior of the ID-mapping algorithm to behave more similarly to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"winbind's <quote>idmap_autorid</quote> algorithm."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"When this option is configured, domains will be allocated starting with "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"slice zero and increasing monatomically with each additional domain."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"NOTE: This algorithm is non-deterministic (it depends on the order that "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"users and groups are requested). If this mode is required for compatibility "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"with machines running winbind, it is recommended to also use the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<quote>ldap_idmap_default_domain_sid</quote> option to guarantee that at "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"least one domain is consistently allocated to slice zero."
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozekmsgid "ldap_idmap_helper_table_size (integer)"
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"Maximal number of secondary slices that is tried when performing mapping "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"from UNIX id to SID."
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"Note: Additional secondary slices might be generated when SID is being "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"mapped to UNIX id and RID part of SID is out of range for secondary slices "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"generated so far. If value of ldap_idmap_helper_table_size is equal to 0 "
f45a20d6ba9e8d695ec3ab707f0cc082999aa4a3Jakub Hrozek"then no additional secondary slices are generated."
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <refsect1><refsect2><title>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "Well-Known SIDs"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <refsect1><refsect2><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"special hardcoded meaning. Since the generic users and groups related to "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"those Well-Known SIDs have no equivalent in a Linux/UNIX environment no "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"POSIX IDs are available for those objects."
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <refsect1><refsect2><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"The SID name space is organized in authorities which can be seen as "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"different domains. The authorities for the Well-Known SIDs are"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "Null Authority"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "World Authority"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "Local Authority"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "Creator Authority"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "NT Authority"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "Built-in"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <refsect1><refsect2><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"The capitalized version of these names are used as domain names when "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"returning the fully qualified name of a Well-Known SID."
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <refsect1><refsect2><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"Since some utilities allow to modify SID based access control information "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"with the help of a name instead of using the SID directly SSSD supports to "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"look up the SID by the name as well. To avoid collisions only the fully "
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek"qualified names can be used to look up Well-Known SIDs. As a result the "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"domain names <quote>NULL AUTHORITY</quote>, <quote>WORLD AUTHORITY</quote>, "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"<quote> LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, <quote>NT "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"AUTHORITY</quote> and <quote>BUILTIN</quote> should not be used as domain "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"names in <filename>sssd.conf</filename>."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <varlistentry><term>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozekmsgid "<option>-?</option>,<option>--help</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#: include/param_help.xml:7 include/param_help_py.xml:7
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Display help message and exit."
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <varlistentry><term>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozekmsgid "<option>-h</option>,<option>--help</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#: include/debug_levels.xml:3 include/debug_levels_tools.xml:3
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"SSSD supports two representations for specifying the debug level. The "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"simplest is to specify a decimal value from 0-9, which represents enabling "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"that level and all lower-level debug messages. The more comprehensive option "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"is to specify a hexadecimal bitmask to enable or disable specific levels "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"(such as if you wish to suppress a level)."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <listitem><para>
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"Please note that each SSSD service logs into its own log file. Also please "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"note that enabling <quote>debug_level</quote> in the <quote>[sssd]</quote> "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"section only enables debugging just for the sssd process itself, not for the "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"responder or provider processes. The <quote>debug_level</quote> parameter "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"should be added to all sections that you wish to produce debug logs from."
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek#. type: Content of: <listitem><para>
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"In addition to changing the log level in the config file using the "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"<quote>debug_level</quote> parameter, which is persistent, but requires SSSD "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"restart, it is also possible to change the debug level on the fly using the "
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"<citerefentry> <refentrytitle>sss_debuglevel</refentrytitle> <manvolnum>8</"
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek"manvolnum> </citerefentry> tool."
be5cc3c013ece0c957f2f8c28a217052227dfd07Jakub Hrozek#. type: Content of: <listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#: include/debug_levels.xml:29 include/debug_levels_tools.xml:10
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Currently supported debug levels:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#: include/debug_levels.xml:32 include/debug_levels_tools.xml:13
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"<emphasis>0</emphasis>, <emphasis>0x0010</emphasis>: Fatal failures. "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"Anything that would prevent SSSD from starting up or causes it to cease "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#: include/debug_levels.xml:38 include/debug_levels_tools.xml:19
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"<emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Critical failures. An "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"error that doesn't kill SSSD, but one that indicates that at least one major "
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek"feature is not going to work properly."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#: include/debug_levels.xml:45 include/debug_levels_tools.xml:26
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"<emphasis>2</emphasis>, <emphasis>0x0040</emphasis>: Serious failures. An "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"error announcing that a particular request or operation has failed."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#: include/debug_levels.xml:50 include/debug_levels_tools.xml:31
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"<emphasis>3</emphasis>, <emphasis>0x0080</emphasis>: Minor failures. These "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"are the errors that would percolate down to cause the operation failure of 2."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#: include/debug_levels.xml:55 include/debug_levels_tools.xml:36
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"<emphasis>4</emphasis>, <emphasis>0x0100</emphasis>: Configuration settings."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#: include/debug_levels.xml:59 include/debug_levels_tools.xml:40
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "<emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: Function data."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#: include/debug_levels.xml:63 include/debug_levels_tools.xml:44
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"<emphasis>6</emphasis>, <emphasis>0x0400</emphasis>: Trace messages for "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"operation functions."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#: include/debug_levels.xml:67 include/debug_levels_tools.xml:48
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"<emphasis>7</emphasis>, <emphasis>0x1000</emphasis>: Trace messages for "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"internal control functions."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#: include/debug_levels.xml:72 include/debug_levels_tools.xml:53
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"<emphasis>8</emphasis>, <emphasis>0x2000</emphasis>: Contents of function-"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"internal variables that may be interesting."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#: include/debug_levels.xml:77 include/debug_levels_tools.xml:58
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"<emphasis>9</emphasis>, <emphasis>0x4000</emphasis>: Extremely low-level "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"tracing information."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#: include/debug_levels.xml:81 include/debug_levels_tools.xml:62
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"To log required bitmask debug levels, simply add their numbers together as "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"shown in following examples:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#: include/debug_levels.xml:85 include/debug_levels_tools.xml:66
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>Example</emphasis>: To log fatal failures, critical failures, "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"serious failures and function data use 0x0270."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#: include/debug_levels.xml:89 include/debug_levels_tools.xml:70
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>Example</emphasis>: To log fatal failures, configuration settings, "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"function data, trace messages for internal control functions use 0x1310."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#: include/debug_levels.xml:94 include/debug_levels_tools.xml:75
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"<emphasis>Note</emphasis>: The bitmask format of debug levels was introduced "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek#. type: Content of: <listitem><para>
0142e7e2558a887992b1c5d4dc3051178e377687Jakub Hrozek#: include/debug_levels.xml:98 include/debug_levels_tools.xml:79
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozekmsgid "<emphasis>Default</emphasis>: 0"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: outside any tag (error?)
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek"<emphasis> This is an experimental feature, please use https://pagure.io/"
f10ebaa51ecdcbbd10f171d19fe8e680e5bc74aaJakub Hrozek"SSSD/sssd/ to report any issues. </emphasis>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "THE LOCAL DOMAIN"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"In order to function correctly, a domain with <quote>id_provider=local</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"quote> must be created and the SSSD must be running."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The administrator might want to use the SSSD local users instead of "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"traditional UNIX users in cases where the group nesting (see <citerefentry> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<refentrytitle>sss_groupadd</refentrytitle> <manvolnum>8</manvolnum> </"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"citerefentry>) is needed. The local users are also useful for testing and "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"development of the SSSD without having to deploy a full remote server. The "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sss_user*</command> and <command>sss_group*</command> tools use a "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"local LDB storage to store users and groups."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<refentrytitle>sssd-simple</refentrytitle><manvolnum>5</manvolnum> </"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"citerefentry>, <citerefentry> <refentrytitle>sssd-ipa</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<refentrytitle>sssd-ad</refentrytitle><manvolnum>5</manvolnum> </"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"citerefentry>, <phrase condition=\"with_sudo\"> <citerefentry> "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<refentrytitle>sssd-sudo</refentrytitle> <manvolnum>5</manvolnum> </"
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"citerefentry>, </phrase> <phrase condition=\"with_secrets\"> <citerefentry> "
b47fd11a259c50e63cd674c7cba0da3f2549cae0Jakub Hrozek"<refentrytitle>sssd-secrets</refentrytitle> <manvolnum>5</manvolnum> </"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"citerefentry>, </phrase> <citerefentry> <refentrytitle>sssd-session-"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"recording</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>, "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"<citerefentry> <refentrytitle>sss_cache</refentrytitle><manvolnum>8</"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_debuglevel</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"<refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum> </"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"citerefentry>, <citerefentry> <refentrytitle>sss_userdel</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"<refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum> </"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"citerefentry>, <citerefentry> <refentrytitle>sss_obfuscate</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"<refentrytitle>sss_seed</refentrytitle><manvolnum>8</manvolnum> </"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"citerefentry>, <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <phrase condition="
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"\"with_ssh\"> <citerefentry> <refentrytitle>sss_ssh_authorizedkeys</"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"<refentrytitle>sss_ssh_knownhostsproxy</refentrytitle> <manvolnum>8</"
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"manvolnum> </citerefentry>, </phrase> <phrase condition=\"with_ifp\"> "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</"
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"manvolnum> </citerefentry>, </phrase> <citerefentry> <refentrytitle>pam_sss</"
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"refentrytitle><manvolnum>8</manvolnum> </citerefentry>. <citerefentry> "
5ee3fba0bd812242a1ffe189f5ddf2689e6e6811Jakub Hrozek"<refentrytitle>sss_rpcidmapd</refentrytitle> <manvolnum>5</manvolnum> </"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"citerefentry> <phrase condition=\"with_stap\"> <citerefentry> "
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"<refentrytitle>sssd-systemtap</refentrytitle> <manvolnum>5</manvolnum> </"
9a839b29816c8906d4a6b074cf76df790cac9209Jakub Hrozek"citerefentry> </phrase>"
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek#. type: Content of: <listitem><para>
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"An optional base DN, search scope and LDAP filter to restrict LDAP searches "
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"for this attribute type."
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek#. type: Content of: <listitem><para><programlisting>
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozekmsgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]\n"
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek#. type: Content of: <listitem><para>
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozekmsgid "syntax: <placeholder type=\"programlisting\" id=\"0\"/>"
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek#. type: Content of: <listitem><para>
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"The scope can be one of \"base\", \"onelevel\" or \"subtree\". The scope "
a23014d69b56cbdf48ad05229c334648b5309d8fJakub Hrozek"functions as specified in section 4.5.1.2 of http://tools.ietf.org/html/"
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek#. type: Content of: <listitem><para>
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"For examples of this syntax, please refer to the <quote>ldap_search_base</"
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"quote> examples section."
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"Please note that specifying scope or filter is not supported for searches "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"against an Active Directory Server that might yield a large number of "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"results and trigger the Range Retrieval extension in the response."
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"Please note that the automounter only reads the master map on startup, so if "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"any autofs-related changes are made to the sssd.conf, you typically also "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"need to restart the automounter daemon after restarting the SSSD."
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <varlistentry><term>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozekmsgid "override_homedir (string)"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozekmsgid "UID number"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozekmsgid "domain name"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozekmsgid "fully qualified user name (user@domain)"
4c9419d98b89a6161a3dde11f9f80be39d12e72aJakub Hrozek#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term>
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozek#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
4c9419d98b89a6161a3dde11f9f80be39d12e72aJakub Hrozekmsgid "The first letter of the login name."
4c9419d98b89a6161a3dde11f9f80be39d12e72aJakub Hrozek#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
fbeb1aba9e11e7aab8adac943276ca040f0c5311Jakub Hrozekmsgid "UPN - User Principal Name (name@REALM)"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozekmsgid "The original home directory retrieved from the identity provider."
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term>
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozekmsgid "The value of configure option <emphasis>homedir_substring</emphasis>."
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"Override the user's home directory. You can either provide an absolute value "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"or a template. In the template, the following sequences are substituted: "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"<placeholder type=\"variablelist\" id=\"0\"/>"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <varlistentry><listitem><para><programlisting>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"override_homedir = /home/%u\n"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozekmsgid "Default: Not set (SSSD will use the value retrieved from LDAP)"
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek#. type: Content of: <varlistentry><term>
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozekmsgid "homedir_substring (string)"
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek#. type: Content of: <varlistentry><listitem><para>
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek"The value of this option will be used in the expansion of the "
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek"<emphasis>override_homedir</emphasis> option if the template contains the "
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek"format string <emphasis>%H</emphasis>. An LDAP directory entry can directly "
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek"contain this template so that this option can be used to expand the home "
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek"directory path for each client machine (or operating system). It can be set "
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek"per-domain or globally in the [nss] section. A value specified in a domain "
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek"section will override one set in the [nss] section."
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozek#. type: Content of: <varlistentry><listitem><para>
a7797068c4deb6ce2bdbcda27c45ff1bbb4a8e78Jakub Hrozekmsgid "Default: /home"
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <refsect1><title>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#: include/ad_modified_defaults.xml:2 include/ipa_modified_defaults.xml:2
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozekmsgid "MODIFIED DEFAULT OPTIONS"
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <refsect1><para>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"Certain option defaults do not match their respective backend provider "
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"defaults, these option names and AD provider-specific defaults are listed "
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <refsect1><refsect2><title>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#: include/ad_modified_defaults.xml:9 include/ipa_modified_defaults.xml:9
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozekmsgid "KRB5 Provider"
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#: include/ad_modified_defaults.xml:13 include/ipa_modified_defaults.xml:13
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozekmsgid "krb5_validate = true"
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozekmsgid "krb5_use_enterprise_principal = true"
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <refsect1><refsect2><title>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozekmsgid "LDAP Provider"
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozekmsgid "ldap_schema = ad"
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#: include/ad_modified_defaults.xml:33 include/ipa_modified_defaults.xml:38
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozekmsgid "ldap_force_upper_case_realm = true"
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozekmsgid "ldap_id_mapping = true"
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozekmsgid "ldap_sasl_mech = gssapi"
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozekmsgid "ldap_referrals = false"
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozekmsgid "ldap_account_expire_policy = ad"
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#: include/ad_modified_defaults.xml:58 include/ipa_modified_defaults.xml:58
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozekmsgid "ldap_use_tokengroups = true"
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <refsect1><para>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"Certain option defaults do not match their respective backend provider "
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek"defaults, these option names and IPA provider-specific defaults are listed "
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozekmsgid "krb5_use_fast = try"
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozekmsgid "krb5_canonicalize = true"
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <refsect1><refsect2><title>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozekmsgid "LDAP Provider - General"
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozekmsgid "ldap_schema = ipa_v1"
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozekmsgid "ldap_sasl_mech = GSSAPI"
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozekmsgid "ldap_sasl_minssf = 56"
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozekmsgid "ldap_account_expire_policy = ipa"
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <refsect1><refsect2><title>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozekmsgid "LDAP Provider - User options"
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozekmsgid "ldap_user_member_of = memberOf"
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozekmsgid "ldap_user_uuid = ipaUniqueID"
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozekmsgid "ldap_user_ssh_public_key = ipaSshPubKey"
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozekmsgid "ldap_user_auth_type = ipaUserAuthType"
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <refsect1><refsect2><title>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozekmsgid "LDAP Provider - Group options"
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozekmsgid "ldap_group_object_class = ipaUserGroup"
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozekmsgid "ldap_group_object_class_alt = posixGroup"
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozekmsgid "ldap_group_member = member"
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozekmsgid "ldap_group_uuid = ipaUniqueID"
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozekmsgid "ldap_group_objectsid = ipaNTSecurityIdentifier"
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozek#. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para>
36b56482ca1e53d832accef0354124fd79711172Jakub Hrozekmsgid "ldap_group_external_member = ipaExternalMember"