eu.po revision 524ceecc11f3d458eb3c1cf1489c3ff6ccb22226
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek# Basque translations for sssd-docs package
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek# Copyright (C) 2012 Red Hat
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek# This file is distributed under the same license as the sssd-docs package.
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek# Automatically generated, 2012.
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Project-Id-Version: sssd-docs 1.8.95\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"POT-Creation-Date: 2012-10-05 19:20+0300\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"PO-Revision-Date: 2012-07-18 21:31+0300\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Last-Translator: Automatically generated\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Language-Team: none\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Language: eu\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"MIME-Version: 1.0\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Content-Type: text/plain; charset=UTF-8\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Content-Transfer-Encoding: 8bit\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#: sssd_krb5_locator_plugin.8.xml:5 sssd-simple.5.xml:5 sssd-ipa.5.xml:5
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#: sssd-ad.5.xml:5 sssd-sudo.5.xml:5 sssd.8.xml:5 sss_obfuscate.8.xml:5
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#: sss_useradd.8.xml:5 sssd-krb5.5.xml:5 sss_groupadd.8.xml:5
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#: sss_userdel.8.xml:5 sss_groupdel.8.xml:5 sss_groupshow.8.xml:5
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#: sss_usermod.8.xml:5 sss_cache.8.xml:5 sss_debuglevel.8.xml:5
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#: sss_seed.8.xml:5 sss_ssh_authorizedkeys.1.xml:5
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "SSSD Manual pages"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "sss_groupmod"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refmeta><manvolnum>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#: sss_groupmod.8.xml:11 pam_sss.8.xml:14 sssd_krb5_locator_plugin.8.xml:11
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#: sssd.8.xml:11 sss_obfuscate.8.xml:11 sss_useradd.8.xml:11
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#: sss_groupadd.8.xml:11 sss_userdel.8.xml:11 sss_groupdel.8.xml:11
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#: sss_groupshow.8.xml:11 sss_usermod.8.xml:11 sss_cache.8.xml:11
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "modify a group"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sss_groupmod</command> <arg choice='opt'> <replaceable>options</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#: sssd-ad.5.xml:21 sssd-sudo.5.xml:21 sssd.8.xml:29 sss_obfuscate.8.xml:30
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#: sss_useradd.8.xml:30 sssd-krb5.5.xml:21 sss_groupadd.8.xml:30
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#: sss_userdel.8.xml:30 sss_groupdel.8.xml:30 sss_groupshow.8.xml:30
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#: sss_usermod.8.xml:30 sss_cache.8.xml:29 sss_debuglevel.8.xml:30
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#: sss_seed.8.xml:31 sss_ssh_authorizedkeys.1.xml:30
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "DESCRIPTION"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sss_groupmod</command> modifies the group to reflect the changes "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"that are specified on the command line."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#: sss_cache.8.xml:38 sss_debuglevel.8.xml:38 sss_seed.8.xml:42
ea929f1b022fc2cb77dec89b0e12accef983ec85Jakub Hrozek#: sss_ssh_authorizedkeys.1.xml:75 sss_ssh_knownhostsproxy.1.xml:62
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "OPTIONS"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<option>-a</option>,<option>--append-group</option> <replaceable>GROUPS</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Append this group to groups specified by the <replaceable>GROUPS</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"a comma separated list of group names."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<option>-r</option>,<option>--remove-group</option> <replaceable>GROUPS</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Remove this group from groups specified by the <replaceable>GROUPS</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable> parameter."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refmeta><manvolnum>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#: sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 sssd-krb5.5.xml:11
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refmeta><refmiscinfo>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#: sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 sssd-krb5.5.xml:12
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "File Formats and Conventions"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#: sssd.conf.5.xml:17 sssd-ldap.5.xml:17 sssd_krb5_locator_plugin.8.xml:16
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#: sssd-ipa.5.xml:17 sssd-ad.5.xml:17 sssd-sudo.5.xml:17 sssd-krb5.5.xml:17
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "the configuration file for SSSD"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "FILE FORMAT"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><programlisting>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek" <replaceable>[section]</replaceable>\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek" <replaceable>key</replaceable> = <replaceable>value</replaceable>\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek" <replaceable>key2</replaceable> = <replaceable>value2,value3</replaceable>\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The file has an ini-style syntax and consists of sections and parameters. A "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"section begins with the name of the section in square brackets and continues "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"until the next section begins. An example of section with single and multi-"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"valued parameters: <placeholder type=\"programlisting\" id=\"0\"/>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The data types used are string (no quotes needed), integer and bool (with "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"values of <quote>TRUE/FALSE</quote>)."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"A line comment starts with a hash sign (<quote>#</quote>) or a semicolon "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"(<quote>;</quote>). Inline comments are not supported."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"All sections can have an optional <replaceable>description</replaceable> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"parameter. Its function is only as a label for the section."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<filename>sssd.conf</filename> must be a regular file, owned by root and "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"only root may read from or write to the file."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "SPECIAL SECTIONS"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The [sssd] section"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Section parameters"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "config_file_version (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Indicates what is the syntax of the config file. SSSD 0.6.0 and later use "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "services"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Comma separated list of services that are started when sssd itself starts."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Supported services: nss, pam <phrase condition=\"with_sudo\">, sudo</phrase> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<phrase condition=\"with_autofs\">, autofs</phrase> <phrase condition="
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"\"with_ssh\">, ssh</phrase> <phrase condition=\"with_pac_responder\">, pac</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "reconnection_retries (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Number of times services should attempt to reconnect in the event of a Data "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Provider crash or restart before they give up"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: 3"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "domains"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"A domain is a database containing user information. SSSD can use more "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"domains at the same time, but at least one must be configured or SSSD won't "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"start. This parameter described the list of domains in the order you want "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"them to be queried."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "re_expression (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Default regular expression that describes how to parse the string containing "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"user name and domain into these components."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"Each domain can have an individual regular expression configured. For some "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"ID providers there are also default regular expressions. See DOMAIN "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"SECTIONS for more info on these regular expressions."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "full_name_format (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The default <citerefentry> <refentrytitle>printf</refentrytitle> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<manvolnum>3</manvolnum> </citerefentry>-compatible format that describes "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"how to translate a (name, domain) tuple into a fully qualified name."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Each domain can have an individual format string configured. see DOMAIN "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"SECTIONS for more info on this option."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "try_inotify (boolean)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"SSSD monitors the state of resolv.conf to identify when it needs to update "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"its internal DNS resolver. By default, we will attempt to use inotify for "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"this, and will fall back to polling resolv.conf every five seconds if "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"inotify cannot be used."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"There are some limited situations where it is preferred that we should skip "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"even trying to use inotify. In these rare cases, this option should be set "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Default: true on platforms where inotify is supported. False on other "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Note: this option will have no effect on platforms where inotify is "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"unavailable. On these platforms, polling will always be used."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "krb5_rcache_dir (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Directory on the filesystem where SSSD should store Kerberos replay cache "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"SSSD to let libkrb5 decide the appropriate location for the replay cache."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Default: Distribution-specific and specified at build-time. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"(__LIBKRB5_DEFAULTS__ if not configured)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "force_timeout (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If a service is not responding to ping checks (see the <quote>timeout</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"quote> option), it is first sent the SIGTERM signal that instructs it to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"quit gracefully. If the service does not terminate after "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<quote>force_timeout</quote> seconds, the monitor will forcibly shut it down "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"by sending a SIGKILL signal."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#: sssd.conf.5.xml:217 sssd.conf.5.xml:346 sssd.conf.5.xml:605
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: 60"
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozekmsgid "default_domain_suffix (string)"
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"This string will be used as a default domain name for all names without a "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"domain name component. The main use case are environments were the local "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"domain is only managing hosts but no users and all users are coming from a "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"trusted domain. The option allows those users to log in just with their user "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"name without giving a domain name as well."
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"Please note that if this option is set all users from the local domain have "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"to use their fully qualified name, e.g. user@domain.name, to log in."
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#: sssd.conf.5.xml:241 sssd-ldap.5.xml:1336 sssd-ldap.5.xml:1348
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#: sssd-ldap.5.xml:1409 sssd-ldap.5.xml:2206 sssd-ldap.5.xml:2233
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#: sssd-krb5.5.xml:361 include/ldap_id_mapping.xml:145
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozekmsgid "Default: not set"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Individual pieces of SSSD functionality are provided by special SSSD "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"services that are started and stopped together with SSSD. The services are "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"managed by a special service frequently called <quote>monitor</quote>. The "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<quote>[sssd]</quote> section is used to configure the monitor as well as "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"some other important options like the identity domains. <placeholder type="
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"\"variablelist\" id=\"0\"/>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "SERVICES SECTIONS"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Settings that can be used to configure different services are described in "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"this section. They should reside in the [<replaceable>$NAME</replaceable>] "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"section, for example, for NSS service, the section would be <quote>[nss]</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "General service configuration options"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "These options can be used to configure any service."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "debug_level (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "debug_timestamps (bool)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Add a timestamp to the debug messages"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#: sssd.conf.5.xml:277 sssd.conf.5.xml:441 sssd.conf.5.xml:845
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#: sssd-ldap.5.xml:1464 sssd-ldap.5.xml:1590 sssd-ldap.5.xml:1994
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#: sssd-ldap.5.xml:2059 sssd-ldap.5.xml:2077 sssd-ipa.5.xml:244
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: true"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "debug_microseconds (bool)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Add microseconds to the timestamp in debug messages"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#: sssd.conf.5.xml:288 sssd.conf.5.xml:787 sssd.conf.5.xml:1630
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#: sssd-ldap.5.xml:640 sssd-ldap.5.xml:1377 sssd-ldap.5.xml:1396
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#: sssd-ldap.5.xml:1533 sssd-ipa.5.xml:123 sssd-ipa.5.xml:339
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#: sssd-krb5.5.xml:237 sssd-krb5.5.xml:271 sssd-krb5.5.xml:420
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: false"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "timeout (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Timeout in seconds between heartbeats for this service. This is used to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"ensure that the process is alive and capable of answering requests."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: 10"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "fd_limit"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This option specifies the maximum number of file descriptors that may be "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"opened at one time by this SSSD process. On systems where SSSD is granted "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"the CAP_SYS_RESOURCE capability, this will be an absolute setting. On "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"systems without this capability, the resulting value will be the lower value "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"of this or the limits.conf \"hard\" limit."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: 8192 (or limits.conf \"hard\" limit)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "client_idle_timeout"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This option specifies the number of seconds that a client of an SSSD process "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"can hold onto a file descriptor without communicating on it. This value is "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"limited in order to avoid resource exhaustion on the system."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "NSS configuration options"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"These options can be used to configure the Name Service Switch (NSS) service."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "enum_cache_timeout (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"How many seconds should nss_sss cache enumerations (requests for info about "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: 120"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "entry_cache_nowait_percentage (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The entry cache can be set to automatically update entries in the background "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"if they are requested beyond a percentage of the entry_cache_timeout value "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"for the domain."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"For example, if the domain's entry_cache_timeout is set to 30s and "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"after 15 seconds past the last cache update will be returned immediately, "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"but the SSSD will go and update the cache on its own, so that future "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"requests will not need to block waiting for a cache update."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Valid values for this option are 0-99 and represent a percentage of the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"entry_cache_timeout for each domain. For performance reasons, this "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"percentage will never reduce the nowait timeout to less than 10 seconds. (0 "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"disables this feature)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: 50"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "entry_negative_timeout (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies for how many seconds nss_sss should cache negative cache hits "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"(that is, queries for invalid database entries, like nonexistent ones) "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"before asking the back end again."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#: sssd.conf.5.xml:414 sssd.conf.5.xml:811 sssd-krb5.5.xml:225
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: 15"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "filter_users, filter_groups (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Exclude certain users from being fetched from the sss NSS database. This is "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"particularly useful for system accounts. This option can also be set per-"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"domain or include fully-qualified names to filter only users from the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"particular domain."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: root"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "filter_users_in_groups (bool)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If you want filtered user still be group members set this option to false."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "override_homedir (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#: sssd.conf.5.xml:455 sssd-ad.5.xml:141 sssd-krb5.5.xml:168
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#: sssd.conf.5.xml:456 sssd-ad.5.xml:142 sssd-krb5.5.xml:169
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "login name"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#: sssd.conf.5.xml:459 sssd-ad.5.xml:145 sssd-krb5.5.xml:172
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "UID number"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#: sssd.conf.5.xml:463 sssd-ad.5.xml:149 sssd-krb5.5.xml:190
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "domain name"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "fully qualified user name (user@domain)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#: sssd.conf.5.xml:471 sssd-ad.5.xml:157 sssd-krb5.5.xml:202
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#: sssd.conf.5.xml:472 sssd-ad.5.xml:158 sssd-krb5.5.xml:203
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "a literal '%'"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Override the user's home directory. You can either provide an absolute value "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"or a template. In the template, the following sequences are substituted: "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<placeholder type=\"variablelist\" id=\"0\"/>"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "This option can also be set per-domain."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#: sssd.conf.5.xml:483 sssd.conf.5.xml:507 sssd-ad.5.xml:169
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"override_homedir = /home/%u\n"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#: sssd.conf.5.xml:481 sssd.conf.5.xml:505 sssd-ad.5.xml:167 sssd-ad.5.xml:191
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "Default: Not set (SSSD will use the value retrieved from LDAP)"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "fallback_homedir (string)"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Set a default template for a user's home directory if one is not specified "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"explicitly by the domain's data provider."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The available values for this option are the same as for override_homedir."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: not set (no substitution for unset home directories)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "override_shell (string)"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"Override the login shell for all users. This option can be specified "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"globally in the [nss] section or per-domain."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "Default: not set (SSSD will use the value retrieved from LDAP)"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "allowed_shells (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Restrict user shell to one of the listed values. The order of evaluation is:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"quote>, use the value of the shell_fallback parameter."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"shells</quote>, a nologin shell is used."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "An empty string for shell is passed as-is to libc."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"that a restart of the SSSD is required in case a new shell is installed."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: Not set. The user shell is automatically used."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "vetoed_shells (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Replace any instance of these shells with the shell_fallback"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "shell_fallback (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The default shell to use if an allowed shell is not installed on the machine."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: /bin/sh"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "default_shell"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The default shell to use if the provider does not return one during lookup. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This option supersedes any other shell options if it takes effect."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Default: not set (Return NULL if no shell is specified and rely on libc to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"substitute something sensible when necessary, usually /bin/sh)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "get_domains_timeout (int)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies time in seconds for which the list of subdomains will be "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"considered valid."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "memcache_timeout (int)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies time in seconds for which records in the in-memory cache will be "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: 300"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "PAM configuration options"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"These options can be used to configure the Pluggable Authentication Module "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"(PAM) service."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "offline_credentials_expiration (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If the authentication provider is offline, how long should we allow cached "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"logins (in days since the last successful online login)."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: 0 (No limit)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "offline_failed_login_attempts (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If the authentication provider is offline, how many failed login attempts "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"are allowed."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "offline_failed_login_delay (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The time in minutes which has to pass after offline_failed_login_attempts "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"has been reached before a new login attempt is possible."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If set to 0 the user cannot authenticate offline if "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"offline_failed_login_attempts has been reached. Only a successful online "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"authentication can enable offline authentication again."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#: sssd.conf.5.xml:672 sssd.conf.5.xml:725 sssd.conf.5.xml:1577
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: 5"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "pam_verbosity (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Controls what kind of messages are shown to the user during authentication. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The higher the number to more messages are displayed."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Currently sssd supports the following values:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<emphasis>0</emphasis>: do not show any message"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<emphasis>1</emphasis>: show only important messages"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<emphasis>2</emphasis>: show informational messages"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<emphasis>3</emphasis>: show all messages and debug information"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: 1"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "pam_id_timeout (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"For any PAM request while SSSD is online, the SSSD will attempt to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"immediately update the cached identity information for the user in order to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"ensure that authentication takes place with the latest information."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"A complete PAM conversation may perform multiple PAM requests, such as "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"account management and session opening. This option controls (on a per-"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"client-application basis) how long (in seconds) we can cache the identity "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"information to avoid excessive round-trips to the identity provider."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "pam_pwd_expiration_warning (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Display a warning N days before the password expires."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Please note that the backend server has to provide information about the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"expiration time of the password. If this information is missing, sssd "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"cannot display a warning."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If zero is set, then this filter is not applied, i.e. if the expiration "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"warning was received from backend server, it will automatically be displayed."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This setting can be overridden by setting <emphasis>pwd_expiration_warning</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"emphasis> for a particular domain."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: 0"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "SUDO configuration options"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "These options can be used to configure the sudo service."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "sudo_timed (bool)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"that implement time-dependent sudoers entries."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "AUTOFS configuration options"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "These options can be used to configure the autofs service."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "autofs_negative_timeout (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies for how many seconds should the autofs responder negative cache "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"hits (that is, queries for invalid map entries, like nonexistent ones) "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"before asking the back end again."
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozekmsgid "ssh_known_hosts_timeout (integer)"
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"How many seconds to keep a host in the managed known_hosts file after its "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"host keys were requested."
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozekmsgid "Default: 180"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "SSH configuration options"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "These options can be used to configure the SSH service."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ssh_hash_known_hosts (bool)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Whether or not to hash host names and addresses in the managed known_hosts "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "PAC responder configuration options"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The PAC responder works together with the authorization data plugin for MIT "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"PAC data during a GSSAPI authentication to the PAC responder. The sub-domain "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"provider collects domain SID and ID ranges of the domain the client is "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"joined to and of remote trusted domains from the local domain controller. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If the PAC is decoded and evaluated some of the following operations are "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If the remote user does not exist in the cache, it is created. The uid is "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"calculated based on the SID, trusted domains will have UPGs and the gid will "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"have the same value as the uid. The home directory is set based on the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"subdomain_homedir parameter. The shell will be empty by default, i.e. the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"system defaults are used, but can be overwritten with the default_shell "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If there are SIDs of groups from the domain the sssd client belongs to, the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"user will be added to those groups."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "These options can be used to configure the PAC responder."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "allowed_uids (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies the comma-separated list of UID values or user names that are "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"allowed to access the PAC responder. User names are resolved to UIDs at "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: 0 (only the root user is allowed to access the PAC responder)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Please note that although the UID 0 is used as the default it will be "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"overwritten with this option. If you still want to allow the root user to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"access the PAC responder, which would be the typical case, you have to add 0 "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"to the list of allowed UIDs as well."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "DOMAIN SECTIONS"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "min_id,max_id (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"UID and GID limits for the domain. If a domain contains an entry that is "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"outside these limits, it is ignored."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"For users, this affects the primary GID limit. The user will not be returned "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"to NSS if either the UID or the primary GID is outside the range. For non-"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"primary group memberships, those that are in range will be reported as "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: 1 for min_id, 0 (no limit) for max_id"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "enumerate (bool)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Determines if a domain can be enumerated. This parameter can have one of the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"following values:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "TRUE = Users and groups are enumerated"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "FALSE = No enumerations for this domain"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#: sssd.conf.5.xml:950 sssd.conf.5.xml:1082 sssd.conf.5.xml:1184
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: FALSE"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Note: Enabling enumeration has a moderate performance impact on SSSD while "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"enumeration is running. It may take up to several minutes after SSSD startup "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"to fully complete enumerations. During this time, individual requests for "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"information will go directly to LDAP, though it may be slow, due to the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"heavy enumeration processing."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"While the first enumeration is running, requests for the complete user or "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"group lists may return no results until it completes."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Further, enabling enumeration may increase the time necessary to detect "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"network disconnection, as longer timeouts are required to ensure that "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"enumeration lookups are completed successfully. For more information, refer "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"to the man pages for the specific id_provider in use."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "entry_cache_timeout (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"How many seconds should nss_sss consider entries valid before asking the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"backend again"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: 5400"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "entry_cache_user_timeout (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"How many seconds should nss_sss consider user entries valid before asking "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"the backend again"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#: sssd.conf.5.xml:999 sssd.conf.5.xml:1012 sssd.conf.5.xml:1025
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#: sssd.conf.5.xml:1038 sssd.conf.5.xml:1051 sssd.conf.5.xml:1065
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: entry_cache_timeout"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "entry_cache_group_timeout (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"How many seconds should nss_sss consider group entries valid before asking "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"the backend again"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "entry_cache_netgroup_timeout (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"How many seconds should nss_sss consider netgroup entries valid before "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"asking the backend again"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "entry_cache_service_timeout (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"How many seconds should nss_sss consider service entries valid before asking "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"the backend again"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "entry_cache_sudo_timeout (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"How many seconds should sudo consider rules valid before asking the backend "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozekmsgid "entry_cache_autofs_timeout (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"How many seconds should the autofs service consider automounter maps valid "
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"before asking the backend again"
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozekmsgid "cache_credentials (bool)"
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Determines if user credentials are also cached in the local LDB cache"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "User credentials are stored in a SHA512 hash, not in plaintext"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "account_cache_expiration (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Number of days entries are left in cache after last successful login before "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"being removed during a cleanup of the cache. 0 means keep forever. The "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"value of this parameter must be greater than or equal to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"offline_credentials_expiration."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: 0 (unlimited)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "pwd_expiration_warning (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Please note that the backend server has to provide information about the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"expiration time of the password. If this information is missing, sssd "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"cannot display a warning. Also an auth provider has to be configured for the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: 7 (Kerberos), 0 (LDAP)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "id_provider (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"The identification provider used for the domain. Supported ID providers are:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "proxy: Support a legacy NSS provider"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "<quote>local</quote>: SSSD internal provider for local users"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"information on configuring LDAP."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#: sssd.conf.5.xml:1148 sssd.conf.5.xml:1210 sssd.conf.5.xml:1261
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#: sssd.conf.5.xml:1157 sssd.conf.5.xml:1219 sssd.conf.5.xml:1270
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<quote>ad</quote>: Active Directory provider. See <citerefentry> "
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"citerefentry> for more information on configuring Active Directory."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "use_fully_qualified_names (bool)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Use the full name and domain (as formatted by the domain's full_name_format) "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"as the user's login name reported to NSS."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If set to TRUE, all requests to this domain must use fully qualified names. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"For example, if used in LOCAL domain that contains a \"test\" user, "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>getent passwd test</command> wouldn't find the user while "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>getent passwd test@LOCAL</command> would."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "auth_provider (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The authentication provider used for the domain. Supported auth providers "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"citerefentry> for more information on configuring LDAP."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"citerefentry> for more information on configuring Kerberos."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<quote>proxy</quote> for relaying authentication to some other PAM target."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<quote>none</quote> disables authentication explicitly."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Default: <quote>id_provider</quote> is used if it is set and can handle "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"authentication requests."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "access_provider (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The access control provider used for the domain. There are two built-in "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"access providers (in addition to any included in installed backends) "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Internal special providers are:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<quote>permit</quote> always allow access. It's the only permitted access "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"provider for a local domain."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<quote>deny</quote> always deny access."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<quote>simple</quote> access control based on access or deny lists. See "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"manvolnum></citerefentry> for more information on configuring the simple "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"access module."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: <quote>permit</quote>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "chpass_provider (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The provider which should handle change password operations for the domain. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Supported change password providers are:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<quote>ldap</quote> to change a password stored in a LDAP server. See "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"manvolnum> </citerefentry> for more information on configuring LDAP."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"citerefentry> for more information on configuring Kerberos."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<quote>proxy</quote> for relaying password changes to some other PAM target."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<quote>none</quote> disallows password changes explicitly."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Default: <quote>auth_provider</quote> is used if it is set and can handle "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"change password requests."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "sudo_provider (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The SUDO provider used for the domain. Supported SUDO providers are:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"citerefentry> for more information on configuring LDAP."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<quote>none</quote> disables SUDO explicitly."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#: sssd.conf.5.xml:1362 sssd.conf.5.xml:1444 sssd.conf.5.xml:1469
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: The value of <quote>id_provider</quote> is used if it is set."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "selinux_provider (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"The provider which should handle loading of selinux settings. Note that this "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"provider will be called right after access provider ends. Supported selinux "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"providers are:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<quote>ipa</quote> to load selinux settings from an IPA server. See "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"manvolnum> </citerefentry> for more information on configuring IPA."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "<quote>none</quote> disallows fetching selinux settings explicitly."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Default: <quote>id_provider</quote> is used if it is set and can handle "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"selinux loading requests."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "subdomains_provider (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The provider which should handle fetching of subdomains. This value should "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"be always the same as id_provider. Supported subdomain providers are:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"manvolnum> </citerefentry> for more information on configuring IPA."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<quote>none</quote> disallows fetching subdomains explicitly."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: none"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "autofs_provider (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The autofs provider used for the domain. Supported autofs providers are:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"citerefentry> for more information on configuring LDAP."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"citerefentry> for more information on configuring IPA."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<quote>none</quote> disables autofs explicitly."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "hostid_provider (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The provider used for retrieving host identity information. Supported "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"hostid providers are:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<quote>ipa</quote> to load host identity stored in an IPA server. See "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"manvolnum> </citerefentry> for more information on configuring IPA."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<quote>none</quote> disables hostid explicitly."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Regular expression for this domain that describes how to parse the string "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"containing user name and domain into these components."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"Default for the AD and IPA provider: <quote>(((?P<domain>[^\\\\]+)\\"
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?"
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"P<name>[^@\\\\]+)$))</quote> which allows three different styles for "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"user names:"
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozekmsgid "username"
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozekmsgid "username@domain.name"
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozekmsgid "domain\\username"
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"While the first two correspond to the general default the third one is "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"introduced to allow easy integration of users from Windows domains."
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Default: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"which translates to \"the name is everything up to the <quote>@</quote> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"sign, the domain everything after that\""
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"PLEASE NOTE: the support for non-unique named subpatterns is not available "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"on all platforms (e.g. RHEL5 and SLES10). Only platforms with libpcre "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"version 7 or higher can support non-unique named subpatterns."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"PLEASE NOTE ALSO: older version of libpcre only support the Python syntax (?"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"P<name>) to label subpatterns."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"manvolnum> </citerefentry>-compatible format that describes how to translate "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"a (name, domain) tuple for this domain into a fully qualified name."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: <quote>%1$s@%2$s</quote>."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "lookup_family_order (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Provides the ability to select preferred address family to use when "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"performing DNS lookups."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Supported values:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: ipv4_first"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "dns_resolver_timeout (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Defines the amount of time (in seconds) to wait for a reply from the DNS "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"resolver before assuming that it is unreachable. If this timeout is reached, "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"the domain will continue to operate in offline mode."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "dns_discovery_domain (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If service discovery is used in the back end, specifies the domain part of "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"the service discovery DNS query."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: Use the domain part of machine's hostname"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "override_gid (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Override the primary GID value with the one specified."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "case_sensitive (boolean)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Treat user and group names as case sensitive. At the moment, this option is "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"not supported in the local provider."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: True"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "proxy_fast_alias (boolean)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"When a user or group is looked up by name in the proxy provider, a second "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"lookup by ID is performed to \"canonicalize\" the name in case the requested "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"name was an alias. Setting this option to true would cause the SSSD to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"perform the ID lookup from cache for performance reasons."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "subdomain_homedir (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Use this homedir as default value for all subdomains within this domain. See "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>override_homedir</emphasis> for info about possible values."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The value can be overridden by <emphasis>override_homedir</emphasis> option."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: <filename>/home/%d/%u</filename>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"These configuration options can be present in a domain configuration "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"section, that is, in a section called <quote>[domain/<replaceable>NAME</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable>]</quote> <placeholder type=\"variablelist\" id=\"0\"/>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "proxy_pam_target (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The proxy target PAM proxies to."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Default: not set by default, you have to take an existing pam configuration "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"or create a new one and add the service name here."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "proxy_lib_name (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The name of the NSS library to use in proxy domains. The NSS functions "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"searched for in the library are in the form of _nss_$(libName)_$(function), "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"for example _nss_files_getpwent."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Options valid for proxy domains. <placeholder type=\"variablelist\" id="
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The local domain section"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This section contains settings for domain that stores users and groups in "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"SSSD native database, that is, a domain that uses "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<replaceable>id_provider=local</replaceable>."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "default_shell (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The default shell for users created with SSSD userspace tools."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: <filename>/bin/bash</filename>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "base_directory (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The tools append the login name to <replaceable>base_directory</replaceable> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"and use that as the home directory."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: <filename>/home</filename>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "create_homedir (bool)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Indicate if a home directory should be created by default for new users. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Can be overridden on command line."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: TRUE"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "remove_homedir (bool)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Indicate if a home directory should be removed by default for deleted "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"users. Can be overridden on command line."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "homedir_umask (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"on a newly created home directory."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: 077"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "skel_dir (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The skeleton directory, which contains files and directories to be copied in "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"the user's home directory, when the home directory is created by "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<citerefentry> <refentrytitle>sss_useradd</refentrytitle> <manvolnum>8</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"manvolnum> </citerefentry>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: <filename>/etc/skel</filename>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "mail_dir (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The mail spool directory. This is needed to manipulate the mailbox when its "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"corresponding user account is modified or deleted. If not specified, a "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"default value is used."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: <filename>/var/mail</filename>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "userdel_cmd (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The command that is run after a user is removed. The command us passed the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"username of the user being removed as the first and only parameter. The "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"return code of the command is not taken into account."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: None, no command is run"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#: sssd.conf.5.xml:1815 sssd-ldap.5.xml:2259 sssd-simple.5.xml:126
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#: sssd-ipa.5.xml:583 sssd-ad.5.xml:228 sssd-krb5.5.xml:434
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "EXAMPLE"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><programlisting>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"domains = LDAP\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"services = nss, pam\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"config_file_version = 2\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"filter_groups = root\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"filter_users = root\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"id_provider = ldap\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"ldap_uri = ldap://ldap.example.com\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"ldap_search_base = dc=example,dc=com\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"auth_provider = krb5\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"krb5_server = kerberos.example.com\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"krb5_realm = EXAMPLE.COM\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"cache_credentials = true\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"min_id = 10000\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"max_id = 20000\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"enumerate = False\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The following example shows a typical SSSD config. It does not describe "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"configuration of the domains themselves - refer to documentation on "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"configuring domains for more details. <placeholder type=\"programlisting\" "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "sssd-ldap"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This manual page describes the configuration of LDAP domains for "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"</citerefentry>. Refer to the <quote>FILE FORMAT</quote> section of the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"manvolnum> </citerefentry> manual page for detailed syntax information."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "You can configure SSSD to use more than one LDAP domain."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"LDAP back end supports id, auth, access and chpass providers. If you want to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"authenticate against an LDAP server either TLS/SSL or LDAPS is required. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sssd</command> <emphasis>does not</emphasis> support authentication "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"over an unencrypted channel. If the LDAP server is used only as an identity "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"provider, an encrypted channel is not needed. Please refer to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<quote>ldap_access_filter</quote> config option for more information about "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"using LDAP as an access provider."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:64 sssd-ad.5.xml:75
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "CONFIGURATION OPTIONS"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "ldap_uri, ldap_backup_uri (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"should connect in the order of preference. Refer to the <quote>FAILOVER</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"quote> section for more information on failover and server redundancy. If "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"neither option is specified, service discovery is enabled. For more "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The format of the URI must match the format defined in RFC 2732:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap[s]://<host>[:port]"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"For explicit IPv6 addresses, <host> must be enclosed in brackets []"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "example: ldap://[fc00::126:25]:389"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "ldap_chpass_uri, ldap_chpass_backup_uri (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"should connect in the order of preference to change the password of a user. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Refer to the <quote>FAILOVER</quote> section for more information on "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"failover and server redundancy."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "To enable service discovery ldap_chpass_dns_service_name must be set."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: empty, i.e. ldap_uri is used."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_search_base (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The default base DN to use for performing LDAP user operations."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Starting with SSSD 1.7.0, SSSD supports multiple search bases using the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The scope can be one of \"base\", \"onelevel\" or \"subtree\"."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The filter must be a valid LDAP search filter as specified by http://www."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Examples:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"ldap_search_base = dc=example,dc=com (which is equivalent to) "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"ldap_search_base = dc=example,dc=com?subtree?"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"ldap_search_base = cn=host_specific,dc=example,dc=com?subtree?"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"(host=thishost)?dc=example.com?subtree?"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Note: It is unsupported to have multiple search bases which reference "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"identically-named objects (for example, groups with the same name in two "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"different search bases). This will lead to unpredictable behavior on client "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Default: If not set, the value of the defaultNamingContext or namingContexts "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"attribute from the RootDSE of the LDAP server is used. If "
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"defaultNamingContext does not exist or has an empty value namingContexts is "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"used. The namingContexts attribute must have a single value with the DN of "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"the search base of the LDAP server to make this work. Multiple values are "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"are not supported."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_schema (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies the Schema Type in use on the target LDAP server. Depending on "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"the selected schema, the default attribute names retrieved from the servers "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"may vary. The way that some attributes are handled may also differ."
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozekmsgid "Four schema types are currently supported:"
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozekmsgid "rfc2307"
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozekmsgid "rfc2307bis"
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"The main difference between these schema types is how group memberships are "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"recorded in the server. With rfc2307, group members are listed by name in "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"the <emphasis>memberUid</emphasis> attribute. With rfc2307bis and IPA, "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"group members are listed by DN and stored in the <emphasis>member</emphasis> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"attribute. The AD schema type sets the attributes to correspond with Active "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Directory 2008r2 values."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: rfc2307"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_default_bind_dn (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The default bind DN to use for performing LDAP operations."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_default_authtok_type (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The type of the authentication token of the default bind DN."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The two mechanisms currently supported are:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "password"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "obfuscated_password"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: password"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_default_authtok (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The authentication token of the default bind DN. Only clear text passwords "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"are currently supported."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_object_class (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The object class of a user entry in LDAP."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: posixAccount"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_name (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The LDAP attribute that corresponds to the user's login name."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: uid"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_uid_number (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The LDAP attribute that corresponds to the user's id."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: uidNumber"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_gid_number (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The LDAP attribute that corresponds to the user's primary group id."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: gidNumber"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_gecos (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The LDAP attribute that corresponds to the user's gecos field."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: gecos"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_home_directory (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The LDAP attribute that contains the name of the user's home directory."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: homeDirectory"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_shell (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The LDAP attribute that contains the path to the user's default shell."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: loginShell"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_uuid (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#: sssd-ldap.5.xml:348 sssd-ldap.5.xml:804 sssd-ldap.5.xml:990
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: nsUniqueId"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_objectsid (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The LDAP attribute that contains the objectSID of an LDAP user object. This "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"is usually only necessary for ActiveDirectory servers."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: objectSid for ActiveDirectory, not set for other servers."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_modify_timestamp (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#: sssd-ldap.5.xml:372 sssd-ldap.5.xml:828 sssd-ldap.5.xml:999
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The LDAP attribute that contains timestamp of the last modification of the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"parent object."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#: sssd-ldap.5.xml:376 sssd-ldap.5.xml:832 sssd-ldap.5.xml:1006
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: modifyTimestamp"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_shadow_last_change (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"the last password change)."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: shadowLastChange"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_shadow_min (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"password age)."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: shadowMin"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_shadow_max (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"password age)."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: shadowMax"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_shadow_warning (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"(password warning period)."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: shadowWarning"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_shadow_inactive (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"(password inactivity period)."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: shadowInactive"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_shadow_expire (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"parameter contains the name of an LDAP attribute corresponding to its "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"manvolnum> </citerefentry> counterpart (account expiration date)."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: shadowExpire"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_krb_last_pwd_change (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"an LDAP attribute storing the date and time of last password change in "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: krbLastPwdChange"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_krb_password_expiration (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"an LDAP attribute storing the date and time when current password expires."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: krbPasswordExpiration"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_ad_account_expires (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"When using ldap_account_expire_policy=ad, this parameter contains the name "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"of an LDAP attribute storing the expiration time of the account."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: accountExpires"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_ad_user_account_control (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"When using ldap_account_expire_policy=ad, this parameter contains the name "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"of an LDAP attribute storing the user account control bit field."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: userAccountControl"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_ns_account_lock (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"When using ldap_account_expire_policy=rhds or equivalent, this parameter "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"determines if access is allowed or not."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: nsAccountLock"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_nds_login_disabled (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"When using ldap_account_expire_policy=nds, this attribute determines if "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"access is allowed or not."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: loginDisabled"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_nds_login_expiration_time (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"When using ldap_account_expire_policy=nds, this attribute determines until "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"which date access is granted."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_nds_login_allowed_time_map (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"When using ldap_account_expire_policy=nds, this attribute determines the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"hours of a day in a week when access is granted."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: loginAllowedTimeMap"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_principal (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The LDAP attribute that contains the user's Kerberos User Principal Name "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: krbPrincipalName"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_ssh_public_key (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The LDAP attribute that contains the user's SSH public keys."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_force_upper_case_realm (boolean)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Some directory servers, for example Active Directory, might deliver the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"realm part of the UPN in lower case, which might cause the authentication to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"fail. Set this option to a non-zero value if you want to use an upper-case "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_enumeration_refresh_timeout (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies how many seconds SSSD has to wait before refreshing its cache of "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"enumerated records."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_purge_cache_timeout (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Determine how often to check the cache for inactive entries (such as groups "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"with no members and users who have never logged in) and remove them to save "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Setting this option to zero will disable the cache cleanup operation."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: 10800 (12 hours)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_fullname (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The LDAP attribute that corresponds to the user's full name."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#: sssd-ldap.5.xml:686 sssd-ldap.5.xml:765 sssd-ldap.5.xml:940
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#: sssd-ldap.5.xml:1031 sssd-ldap.5.xml:1823 sssd-ldap.5.xml:2149
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: cn"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_member_of (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The LDAP attribute that lists the user's group memberships."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: memberOf"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_authorized_service (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"use the presence of the authorizedService attribute in the user's LDAP entry "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"to determine access privilege."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"An explicit deny (!svc) is resolved first. Second, SSSD searches for "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"explicit allow (svc) and finally for allow_all (*)."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: authorizedService"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_authorized_host (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If access_provider=ldap and ldap_access_order=host, SSSD will use the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"presence of the host attribute in the user's LDAP entry to determine access "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"An explicit deny (!host) is resolved first. Second, SSSD searches for "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"explicit allow (host) and finally for allow_all (*)."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: host"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_group_object_class (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The object class of a group entry in LDAP."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: posixGroup"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_group_name (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The LDAP attribute that corresponds to the group name."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_group_gid_number (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The LDAP attribute that corresponds to the group's id."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_group_member (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The LDAP attribute that contains the names of the group's members."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: memberuid (rfc2307) / member (rfc2307bis)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_group_uuid (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_group_objectsid (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The LDAP attribute that contains the objectSID of an LDAP group object. This "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"is usually only necessary for ActiveDirectory servers."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_group_modify_timestamp (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_group_nesting_level (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If ldap_schema is set to a schema format that supports nested groups (e.g. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"RFC2307bis), then this option controls how many levels of nesting SSSD will "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"follow. This option has no effect on the RFC2307 schema."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: 2"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_groups_use_matching_rule_in_chain"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This option tells SSSD to take advantage of an Active Directory-specific "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"feature which may speed up group lookup operations on deployments with "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"complex or deep nested groups."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"In most common cases, it is best to leave this option disabled. It generally "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"only provides a performance increase on very complex nestings."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If this option is enabled, SSSD will use it if it detects that the server "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"supports it during initial connection. So \"True\" here essentially means "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"\"auto-detect\"."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Note: This feature is currently known to work only with Active Directory "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"2008 R1 and later. See <ulink url=\"http://msdn.microsoft.com/en-us/library/"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"windows/desktop/aa746475%28v=vs.85%29.aspx\"> MSDN(TM) documentation</ulink> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"for more details."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#: sssd-ldap.5.xml:880 sssd-ldap.5.xml:907 sssd-ldap.5.xml:1198
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#: sssd-ldap.5.xml:1632 include/ldap_id_mapping.xml:184
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: False"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_initgroups_use_matching_rule_in_chain"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This option tells SSSD to take advantage of an Active Directory-specific "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"feature which might speed up initgroups operations (most notably when "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"dealing with complex or deep nested groups)."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_netgroup_object_class (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The object class of a netgroup entry in LDAP."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "In IPA provider, ipa_netgroup_object_class should be used instead."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: nisNetgroup"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_netgroup_name (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The LDAP attribute that corresponds to the netgroup name."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "In IPA provider, ipa_netgroup_name should be used instead."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_netgroup_member (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The LDAP attribute that contains the names of the netgroup's members."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "In IPA provider, ipa_netgroup_member should be used instead."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: memberNisNetgroup"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_netgroup_triple (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The LDAP attribute that contains the (host, user, domain) netgroup triples."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "This option is not available in IPA provider."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: nisNetgroupTriple"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_netgroup_uuid (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The LDAP attribute that contains the UUID/GUID of an LDAP netgroup object."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "In IPA provider, ipa_netgroup_uuid should be used instead."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_netgroup_modify_timestamp (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_service_object_class (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The object class of a service entry in LDAP."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: ipService"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_service_name (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The LDAP attribute that contains the name of service attributes and their "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_service_port (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The LDAP attribute that contains the port managed by this service."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: ipServicePort"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_service_proto (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The LDAP attribute that contains the protocols understood by this service."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: ipServiceProtocol"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_service_search_base (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_search_timeout (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies the timeout (in seconds) that ldap searches are allowed to run "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"before they are cancelled and cached results are returned (and offline mode "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"is entered)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Note: this option is subject to change in future versions of the SSSD. It "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"will likely be replaced at some point by a series of timeouts for specific "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"lookup types."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#: sssd-ldap.5.xml:1083 sssd-ldap.5.xml:1125 sssd-ldap.5.xml:1140
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: 6"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_enumeration_search_timeout (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies the timeout (in seconds) that ldap searches for user and group "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"enumerations are allowed to run before they are cancelled and cached results "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"are returned (and offline mode is entered)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_network_timeout (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies the timeout (in seconds) after which the <citerefentry> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"manvolnum> </citerefentry> following a <citerefentry> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"citerefentry> returns in case of no activity."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_opt_timeout (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"will abort if no response is received. Also controls the timeout when "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"communicating with the KDC in case of SASL bind."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_connection_expire_timeout (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies a timeout (in seconds) that a connection to an LDAP server will be "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"maintained. After this time, the connection will be re-established. If used "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"the TGT lifetime) will be used."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: 900 (15 minutes)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_page_size (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specify the number of records to retrieve from LDAP in a single request. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Some LDAP servers enforce a maximum limit per-request."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: 1000"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_disable_paging (boolean)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Disable the LDAP paging control. This option should be used if the LDAP "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"server reports that it supports the LDAP paging control in its RootDSE but "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"it is not enabled or does not behave properly."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Example: OpenLDAP servers with the paging control module installed on the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"server but not enabled will report it in the RootDSE but be unable to use it."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Example: 389 DS has a bug where it can only support a one paging control at "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"a time on a single connection. On busy clients, this can result in some "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"requests being denied."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_sasl_minssf (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"When communicating with an LDAP server using SASL, specify the minimum "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"security level necessary to establish the connection. The values of this "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"option are defined by OpenLDAP."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: Use the system default (usually specified by ldap.conf)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_deref_threshold (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specify the number of group members that must be missing from the internal "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"cache in order to trigger a dereference lookup. If less members are missing, "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"they are looked up individually."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"You can turn off dereference lookups completely by setting the value to 0."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"A dereference lookup is a means of fetching all group members in a single "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"LDAP call. Different LDAP servers may implement different dereference "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>Note:</emphasis> If any of the search bases specifies a search "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"filter, then the dereference lookup performance enhancement will be disabled "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"regardless of this setting."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_tls_reqcert (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies what checks to perform on server certificates in a TLS session, if "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"any. It can be specified as one of the following values:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>never</emphasis> = The client will not request or check any server "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"certificate."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>allow</emphasis> = The server certificate is requested. If no "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"certificate is provided, the session proceeds normally. If a bad certificate "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"is provided, it will be ignored and the session proceeds normally."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>try</emphasis> = The server certificate is requested. If no "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"certificate is provided, the session proceeds normally. If a bad certificate "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"is provided, the session is immediately terminated."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>demand</emphasis> = The server certificate is requested. If no "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"certificate is provided, or a bad certificate is provided, the session is "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"immediately terminated."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: hard"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_tls_cacert (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies the file that contains certificates for all of the Certificate "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Authorities that <command>sssd</command> will recognize."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#: sssd-ldap.5.xml:1304 sssd-ldap.5.xml:1322 sssd-ldap.5.xml:1363
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"conf</filename>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_tls_cacertdir (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies the path of a directory that contains Certificate Authority "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"certificates in separate individual files. Typically the file names need to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"be the hash of the certificate followed by '.0'. If available, "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>cacertdir_rehash</command> can be used to create the correct names."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_tls_cert (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Specifies the file that contains the certificate for the client's key."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_tls_key (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Specifies the file that contains the client's key."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_tls_cipher_suite (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies acceptable cipher suites. Typically this is a colon sperated "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<manvolnum>5</manvolnum></citerefentry> for format."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_id_use_start_tls (boolean)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies that the id_provider connection must also use <systemitem class="
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"\"protocol\">tls</systemitem> to protect the channel."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_id_mapping (boolean)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies that SSSD should attempt to map user and group IDs from the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"on ldap_user_uid_number and ldap_group_gid_number."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Currently this feature supports only ActiveDirectory objectSID mapping."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_sasl_mech (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specify the SASL mechanism to use. Currently only GSSAPI is tested and "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_sasl_authid (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specify the SASL authorization id to use. When GSSAPI is used, this "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"represents the Kerberos principal used for authentication to the directory."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozekmsgid "Default: host/hostname@REALM"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_sasl_canonicalize (boolean)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If set to true, the LDAP library would perform a reverse lookup to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"canonicalize the host name during a SASL bind."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: false;"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_krb5_keytab (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Specify the keytab to use when using SASL/GSSAPI."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_krb5_init_creds (boolean)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies that the id_provider should init Kerberos credentials (TGT). This "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"action is performed only if SASL is used and the mechanism selected is "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_krb5_ticket_lifetime (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: 86400 (24 hours)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "krb5_server, krb5_backup_server (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies the comma-separated list of IP addresses or hostnames of the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Kerberos servers to which SSSD should connect in the order of preference. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"For more information on failover and server redundancy, see the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"colon) may be appended to the addresses or hostnames. If empty, service "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"discovery is enabled - for more information, refer to the <quote>SERVICE "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"DISCOVERY</quote> section."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"When using service discovery for KDC or kpasswd servers, SSSD first searches "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"for DNS entries that specify _udp as the protocol and falls back to _tcp if "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"none are found."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"While the legacy name is recognized for the time being, users are advised to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"migrate their config files to use <quote>krb5_server</quote> instead."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#: sssd-ldap.5.xml:1512 sssd-ipa.5.xml:254 sssd-krb5.5.xml:103
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "krb5_realm (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#: sssd-ldap.5.xml:1524 sssd-ipa.5.xml:269 sssd-krb5.5.xml:411
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "krb5_canonicalize (boolean)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies if the host principal should be canonicalized when connecting to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"LDAP server. This feature is available with MIT Kerberos >= 1.7"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_pwd_policy (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Select the policy to evaluate the password expiration on the client side. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The following values are allowed:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>none</emphasis> - No evaluation on the client side. This option "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"cannot disable server-side password policies."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"evaluate if the password has expired."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"to determine if the password has expired. Use chpass_provider=krb5 to update "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"these attributes when the password is changed."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_referrals (boolean)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Specifies whether automatic referral chasing should be enabled."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Please note that sssd only supports referral chasing when it is compiled "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"with OpenLDAP version 2.4.13 or higher."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Chasing referrals may incur a performance penalty in environments that use "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"them heavily, a notable example is Microsoft Active Directory. If your setup "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"does not in fact require the use of referrals, setting this option to false "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"might bring a noticeable performance improvement."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_dns_service_name (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Specifies the service name to use when service discovery is enabled."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: ldap"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_chpass_dns_service_name (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies the service name to use to find an LDAP server which allows "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"password changes when service discovery is enabled."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: not set, i.e. service discovery is disabled"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozekmsgid "ldap_chpass_update_last_change (bool)"
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"Specifies whether to update the ldap_user_shadow_last_change attribute with "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"days since the Epoch after a password change operation."
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_access_filter (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"If using access_provider = ldap and ldap_access_order = filter (default), "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"this option is mandatory. It specifies an LDAP search filter criteria that "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"must be met for the user to be granted access on this host. If "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"access_provider = ldap, ldap_access_order = filter and this option is not "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"set, it will result in all users being denied access. Use access_provider = "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"permit to change this default behavior."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Example:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"access_provider = ldap\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This example means that access to this host is restricted to members of the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"\"allowedusers\" group in ldap."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Offline caching for this feature is limited to determining whether the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"user's last online login was granted access permission. If they were granted "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"access during their last login, they will continue to be granted access "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"while offline and vice-versa."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: Empty"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_account_expire_policy (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"With this option a client side evaluation of access control attributes can "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"be enabled."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Please note that it is always recommended to use server side access control, "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"i.e. the LDAP server should deny the bind request with a suitable error code "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"even if the password is correct."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The following values are allowed:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"determine if the account is expired."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>ad</emphasis>: use the value of the 32bit field "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"ldap_user_ad_user_account_control and allow access if the second bit is not "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"set. If the attribute is missing access is granted. Also the expiration time "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"of the account is checked."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"emphasis>: use the value of ldap_ns_account_lock to check if access is "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"allowed or not."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>nds</emphasis>: the values of "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"ldap_user_nds_login_expiration_time are used to check if access is allowed. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If both attributes are missing access is granted."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_access_order (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Comma separated list of access control options. Allowed values are:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<emphasis>filter</emphasis>: use ldap_access_filter"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"to determine access"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<emphasis>host</emphasis>: use the host attribute to determine access"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: filter"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Please note that it is a configuration error if a value is used more than "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_deref (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies how alias dereferencing is done when performing a search. The "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"following options are allowed:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"the base object, but not in locating the base object of the search."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"the base object of the search."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"in locating the base object of the search."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"client libraries)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"All of the common configuration options that apply to SSSD domains also "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"manvolnum> </citerefentry> manual page for full details. <placeholder type="
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"\"variablelist\" id=\"0\"/>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "SUDO OPTIONS"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_sudorule_object_class (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The object class of a sudo rule entry in LDAP."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: sudoRole"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_sudorule_name (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The LDAP attribute that corresponds to the sudo rule name."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_sudorule_command (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The LDAP attribute that corresponds to the command name."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: sudoCommand"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_sudorule_host (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The LDAP attribute that corresponds to the host name (or host IP address, "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"host IP network, or host netgroup)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: sudoHost"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_sudorule_user (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The LDAP attribute that corresponds to the user name (or UID, group name or "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"user's netgroup)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: sudoUser"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_sudorule_option (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The LDAP attribute that corresponds to the sudo options."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: sudoOption"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_sudorule_runasuser (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The LDAP attribute that corresponds to the user name that commands may be "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: sudoRunAsUser"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_sudorule_runasgroup (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The LDAP attribute that corresponds to the group name or group GID that "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"commands may be run as."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: sudoRunAsGroup"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_sudorule_notbefore (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The LDAP attribute that corresponds to the start date/time for when the sudo "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"rule is valid."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: sudoNotBefore"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_sudorule_notafter (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The LDAP attribute that corresponds to the expiration date/time, after which "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"the sudo rule will no longer be valid."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: sudoNotAfter"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_sudorule_order (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The LDAP attribute that corresponds to the ordering index of the rule."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: sudoOrder"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_sudo_full_refresh_interval (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"How many seconds SSSD will wait between executing a full refresh of sudo "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"rules (which downloads all rules that are stored on the server)."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: 21600 (6 hours)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_sudo_smart_refresh_interval (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"How many seconds SSSD has to wait before executing a smart refresh of sudo "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"rules (which downloads all rules that have USN higher than the highest USN "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"of cached rules)."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If USN attributes are not supported by the server, the modifyTimestamp "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"attribute is used instead."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_sudo_use_host_filter (boolean)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If true, SSSD will download only rules that are applicable to this machine "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"(using the IPv4 or IPv6 host/network addresses and hostnames)."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_sudo_hostnames (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Space separated list of hostnames or fully qualified domain names that "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"should be used to filter the rules."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"If this option is empty, SSSD will try to discover the hostname and the "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"fully qualified domain name automatically."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#: sssd-ldap.5.xml:2013 sssd-ldap.5.xml:2036 sssd-ldap.5.xml:2054
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"emphasis> then this option has no effect."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: not specified"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_sudo_ip (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Space separated list of IPv4 or IPv6 host/network addresses that should be "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"used to filter the rules."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If this option is empty, SSSD will try to discover the addresses "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"automatically."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_sudo_include_netgroups (boolean)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If true then SSSD will download every rule that contains a netgroup in "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"sudoHost attribute."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_sudo_include_regexp (boolean)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If true then SSSD will download every rule that contains a regular "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"expression in sudoHost attribute."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<placeholder type=\"variablelist\" id=\"0\"/>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This manual page only describes attribute name mapping. For detailed "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"explanation of sudo related attribute semantics, see <citerefentry> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"citerefentry>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "AUTOFS OPTIONS"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Please note that the default values correspond to the default schema which "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"is RFC2307."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_autofs_map_object_class (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The object class of an automount map entry in LDAP."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: automountMap"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_autofs_map_name (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The name of an automount map entry in LDAP."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: ou"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_autofs_entry_object_class (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_autofs_entry_key (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The key of an automount entry in LDAP. The entry usually corresponds to a "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"mount point."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_autofs_entry_value (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: automountInformation"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type="
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type="
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"\"variablelist\" id=\"4\"/>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ADVANCED OPTIONS"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_netgroup_search_base (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_search_base (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_group_search_base (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_user_search_filter (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This option specifies an additional LDAP search filter criteria that "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"restrict user searches."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This option is <emphasis>deprecated</emphasis> in favor of the syntax used "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"by ldap_user_search_base."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek" ldap_user_search_filter = (loginShell=/bin/tcsh)\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This filter would restrict user searches to users that have their shell set "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_group_search_filter (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This option specifies an additional LDAP search filter criteria that "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"restrict group searches."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This option is <emphasis>deprecated</emphasis> in favor of the syntax used "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"by ldap_group_search_base."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_sudo_search_base (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_autofs_search_base (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"These options are supported by LDAP domains, but they should be used with "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"caution. Please include them in your configuration only if you know what you "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"are doing. <placeholder type=\"variablelist\" id=\"0\"/>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The following example assumes that SSSD is correctly configured and LDAP is "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"set to one of the domains in the <replaceable>[domains]</replaceable> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><programlisting>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek" id_provider = ldap\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek" auth_provider = ldap\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek" ldap_uri = ldap://ldap.mydomain.org\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek" ldap_search_base = dc=mydomain,dc=org\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek" ldap_tls_reqcert = demand\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek" cache_credentials = true\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek" enumerate = true\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#: sssd-ldap.5.xml:2266 sssd-simple.5.xml:134 sssd-ipa.5.xml:591
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#: sssd-ad.5.xml:236 sssd-sudo.5.xml:56 sssd-sudo.5.xml:78 sssd-sudo.5.xml:99
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#: sssd-krb5.5.xml:443 include/ldap_id_mapping.xml:63
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<placeholder type=\"programlisting\" id=\"0\"/>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#: sssd-ldap.5.xml:2280 sssd_krb5_locator_plugin.8.xml:61 sss_seed.8.xml:163
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "NOTES"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The descriptions of some of the configuration options in this manual page "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"distribution."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refentryinfo>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<productname>SSSD</productname> <orgname>The SSSD upstream - http://"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "pam_sss"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "PAM module for SSSD"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>pam_sss.so</command> is the PAM interface to the System Security "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Services daemon (SSSD). Errors and results are logged through <command>syslog"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"(3)</command> with the LOG_AUTHPRIV facility."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>quiet</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Suppress log messages for unknown users."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>forward_pass</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If <option>forward_pass</option> is set the entered password is put on the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"stack for other PAM modules to use."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>use_first_pass</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The argument use_first_pass forces the module to use a previous stacked "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"modules password and will never prompt the user - if no password is "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"available or the password is not appropriate, the user will be denied access."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>use_authtok</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"When password changing enforce the module to set the new password to the one "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"provided by a previously stacked password module."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>retry=N</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If specified the user is asked another N times for a password if "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"authentication fails. Default is 0."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Please note that this option might not work as expected if the application "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"calling PAM handles the user dialog on its own. A typical example is "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sshd</command> with <option>PasswordAuthentication</option>."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "MODULE TYPES PROVIDED"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"All module types (<option>account</option>, <option>auth</option>, "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<option>password</option> and <option>session</option>) are provided."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "FILES"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If a password reset by root fails, because the corresponding SSSD provider "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"does not support password resets, an individual message can be displayed. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This message can e.g. contain instructions about how to reset a password."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"filename> where LOC stands for a locale string returned by <citerefentry> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"citerefentry>. If there is no matching file the content of "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"the owner of the files and only root may have read and write permissions "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"while all other users must have only read permissions."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"These files are searched in the directory <filename>/etc/sssd/customize/"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "sssd_krb5_locator_plugin"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"used by the Kerberos provider of <citerefentry> <refentrytitle>sssd</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> to tell the Kerberos "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"libraries what Realm and which KDC to use. Typically this is done in "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"manvolnum> </citerefentry> which is always read by the Kerberos libraries. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"To simplify the configuration the Realm and the KDC can be defined in "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"manvolnum> </citerefentry> as described in <citerefentry> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<refentrytitle>sssd-krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"citerefentry>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"</citerefentry> puts the Realm and the name or IP address of the KDC into "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"the environment variables SSSD_KRB5_REALM and SSSD_KRB5_KDC respectively. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"When <command>sssd_krb5_locator_plugin</command> is called by the kerberos "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"libraries it reads and evaluates these variables and returns them to the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Not all Kerberos implementations support the use of plugins. If "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sssd_krb5_locator_plugin</command> is not available on your system "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"you have to edit /etc/krb5.conf to reflect your Kerberos setup."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"debug messages will be sent to stderr."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "sssd-simple"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "the configuration file for SSSD's 'simple' access-control provider"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This manual page describes the configuration of the simple access-control "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"citerefentry> manual page."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The simple access provider grants or denies access based on an access or "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"deny list of user or group names. The following rules apply:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "If all lists are empty, access is granted"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If any list is provided, the order of evaluation is allow,deny. This means "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"that any matching deny rule will supersede any matched allow rule."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If either or both \"allow\" lists are provided, all users are denied unless "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"they appear in the list."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If only \"deny\" lists are provided, all users are granted access unless "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"they appear in the list."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "simple_allow_users (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Comma separated list of users who are allowed to log in."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "simple_deny_users (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Comma separated list of users who are explicitly denied access."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "simple_allow_groups (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Comma separated list of groups that are allowed to log in. This applies only "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"to groups within this SSSD domain. Local groups are not evaluated."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "simple_deny_groups (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Comma separated list of groups that are explicitly denied access. This "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"applies only to groups within this SSSD domain. Local groups are not "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#: sssd-simple.5.xml:70 sssd-ipa.5.xml:65 sssd-ad.5.xml:76
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"citerefentry> manual page for details on the configuration of an SSSD "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"domain. <placeholder type=\"variablelist\" id=\"0\"/>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Please note that it is an configuration error if both, simple_allow_users "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"and simple_deny_users, are defined."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The following example assumes that SSSD is correctly configured and example."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This examples shows only the simple access provider-specific options."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><programlisting>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek" access_provider = simple\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek" simple_allow_users = user1, user2\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "sssd-ipa"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This manual page describes the configuration of the IPA provider for "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The IPA provider is a back end used to connect to an IPA server. (Refer to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"the freeipa.org web site for information about IPA servers.) This provider "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"requires that the machine be joined to the IPA domain; configuration is "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"almost entirely self-discovered and obtained directly from the server."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The IPA provider accepts the same options used by the <citerefentry> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"citerefentry> identity provider and the <citerefentry> <refentrytitle>sssd-"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"krb5</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> authentication "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"provider with some exceptions described below."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"However, it is neither necessary nor recommended to set these options. IPA "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"provider can also be used as an access and chpass provider. As an access "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"provider it uses HBAC (host-based access control) rules. Please refer to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"freeipa.org for more information about HBAC. No configuration of access "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"provider is required on the client side."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ipa_domain (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies the name of the IPA domain. This is optional. If not provided, "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"the configuration domain name is used."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "ipa_server, ipa_backup_server (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The comma-separated list of IP addresses or hostnames of the IPA servers to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"which SSSD should connect in the order of preference. For more information "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This is optional if autodiscovery is enabled. For more information on "
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ipa_hostname (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Optional. May be set on machines where the hostname(5) does not reflect the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"fully qualified name used in the IPA domain to identify this host."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ipa_dyndns_update (boolean)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Optional. This option tells SSSD to automatically update the DNS server "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"built into FreeIPA v2 with the IP address of this client."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"the default Kerberos realm must be set properly in /etc/krb5.conf"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ipa_dyndns_iface (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Optional. Applicable only when ipa_dyndns_update is true. Choose the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"interface whose IP address should be used for dynamic DNS updates."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: Use the IP address of the IPA LDAP connection"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ipa_hbac_search_base (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Optional. Use the given string as search base for HBAC related objects."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: Use base DN"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ipa_host_search_base (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Optional. Use the given string as search base for host objects."
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek#: sssd-ipa.5.xml:163 sssd-ipa.5.xml:187 sssd-ipa.5.xml:206 sssd-ipa.5.xml:225
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"See <quote>ldap_search_base</quote> for information about configuring "
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"multiple search bases."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If filter is given in any of search bases and "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>ipa_hbac_support_srchost</emphasis> is set to False, the filter "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"will be ignored."
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek#. type: Content of: <listitem><para>
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek#: sssd-ipa.5.xml:173 sssd-ipa.5.xml:192 include/ldap_search_bases.xml:23
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek#: include/ldap_search_bases_experimental.xml:23
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozekmsgid "Default: the value of <emphasis>ldap_search_base</emphasis>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ipa_selinux_search_base (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Optional. Use the given string as search base for SELinux user maps."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ipa_subdomains_search_base (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Optional. Use the given string as search base for trusted domains."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ipa_master_domain_search_base (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Optional. Use the given string as search base for master domain object."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "krb5_validate (boolean)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Verify with the help of krb5_keytab that the TGT obtained has not been "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Note that this default differs from the traditional Kerberos provider back "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The name of the Kerberos realm. This is optional and defaults to the value "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"of <quote>ipa_domain</quote>."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The name of the Kerberos realm has a special meaning in IPA - it is "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"converted into the base DN to use for performing LDAP operations."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies if the host and user principal should be canonicalized when "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"connecting to IPA LDAP and also for AS requests. This feature is available "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"with MIT Kerberos >= 1.7"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ipa_hbac_refresh (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The amount of time between lookups of the HBAC rules against the IPA server. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This will reduce the latency and load on the IPA server if there are many "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"access-control requests made in a short period."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: 5 (seconds)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ipa_hbac_treat_deny_as (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This option specifies how to treat the deprecated DENY-type HBAC rules. As "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"of FreeIPA v2.1, DENY rules are no longer supported on the server. All users "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"of FreeIPA will need to migrate their rules to use only the ALLOW rules. The "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"client will support two modes of operation during this transition period:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>DENY_ALL</emphasis>: If any HBAC DENY rules are detected, all "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"users will be denied access."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>IGNORE</emphasis>: SSSD will ignore any DENY rules. Be very "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"careful with this option, as it may result in opening unintended access."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: DENY_ALL"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ipa_hbac_support_srchost (boolean)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If this is set to false, then srchost as given to SSSD by PAM will be "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Note that if set to <emphasis>False</emphasis>, this option casuses filters "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"given in <emphasis>ipa_host_search_base</emphasis> to be ignored;"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ipa_automount_location (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The automounter location this IPA client will be using"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: The location named \"default\""
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ipa_netgroup_member_of (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The LDAP attribute that lists netgroup's memberships."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ipa_netgroup_member_user (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The LDAP attribute that lists system users and groups that are direct "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"members of the netgroup."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: memberUser"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ipa_netgroup_member_host (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The LDAP attribute that lists hosts and host groups that are direct members "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"of the netgroup."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: memberHost"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ipa_netgroup_member_ext_host (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The LDAP attribute that lists FQDNs of hosts and host groups that are "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"members of the netgroup."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: externalHost"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ipa_netgroup_domain (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The LDAP attribute that contains NIS domain name of the netgroup."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: nisDomainName"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ipa_host_object_class (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The object class of a host entry in LDAP."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: ipaHost"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ipa_host_fqdn (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The LDAP attribute that contains FQDN of the host."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: fqdn"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ipa_selinux_usermap_object_class (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ipa_selinux_usermap_name (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The LDAP attribute that contains the name of SELinux usermap."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ipa_selinux_usermap_member_user (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The LDAP attribute that contains all users / groups this rule match against."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ipa_selinux_usermap_member_host (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The LDAP attribute that contains all hosts / hostgroups this rule match "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ipa_selinux_usermap_see_also (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The LDAP attribute that contains DN of HBAC rule which can be used for "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"matching instead of memberUser and memberHost"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: seeAlso"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ipa_selinux_usermap_selinux_user (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The LDAP attribute that contains SELinux user string itself."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: ipaSELinuxUser"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ipa_selinux_usermap_enabled (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The LDAP attribute that contains whether or not is user map enabled for "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: ipaEnabledFlag"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ipa_selinux_usermap_user_category (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The LDAP attribute that contains user category such as 'all'."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: userCategory"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ipa_selinux_usermap_host_category (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The LDAP attribute that contains host category such as 'all'."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: hostCategory"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ipa_selinux_usermap_uuid (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The LDAP attribute that contains unique ID of the user map."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: ipaUniqueID"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ipa_host_ssh_public_key (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The LDAP attribute that contains the host's SSH public keys."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: ipaSshPubKey"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The following example assumes that SSSD is correctly configured and example."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This examples shows only the ipa provider-specific options."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><programlisting>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek" id_provider = ipa\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek" ipa_hostname = myhost.example.com\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "sssd-ad"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This manual page describes the configuration of the AD provider for "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The AD provider is a back end used to connect to an Active Directory server. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This provider requires that the machine be joined to the AD domain and a "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"keytab is available."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The AD provider supports connecting to Active Directory 2008 R2 or later. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Earlier versions may work, but are unsupported."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The AD provider accepts the same options used by the <citerefentry> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"citerefentry> identity provider and the <citerefentry> <refentrytitle>sssd-"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"krb5</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> authentication "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"provider with some exceptions described below."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"However, it is neither necessary nor recommended to set these options. The "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"AD provider can also be used as an access and chpass provider. No "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"configuration of the access provider is required on the client side."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><programlisting>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"ldap_id_mapping = False\n"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"By default, the AD provider will map UID and GID values from the objectSID "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"parameter in Active Directory. For details on this, see the <quote>ID "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"MAPPING</quote> section below. If you want to disable ID mapping and instead "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"rely on POSIX attributes defined in Active Directory, you should set "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<placeholder type=\"programlisting\" id=\"0\"/>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ad_domain (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies the name of the Active Directory domain. This is optional. If not "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"provided, the configuration domain name is used."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"For proper operation, this option should be specified as the lower-case "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"version of the long version of the Active Directory domain."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "ad_server, ad_backup_server (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The comma-separated list of IP addresses or hostnames of the AD servers to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"which SSSD should connect in order of preference. For more information on "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"failover and server redundancy, see the <quote>FAILOVER</quote> section. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This is optional if autodiscovery is enabled. For more information on "
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ad_hostname (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Optional. May be set on machines where the hostname(5) does not reflect the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"fully qualified name used in the Active Directory domain to identify this "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This field is used to determine the host principal in use in the keytab. It "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"must match the hostname for which the keytab was issued."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"fallback_homedir = /home/%u\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The following example assumes that SSSD is correctly configured and example."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This example shows only the AD provider-specific options."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><programlisting>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"id_provider = ad\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"auth_provider = ad\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"access_provider = ad\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"chpass_provider = ad\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"ad_hostname = client.example.com\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"ad_domain = example.com\n"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "sssd-sudo"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"This manual page describes how to configure <citerefentry> "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "Configuring sudo to cooperate with SSSD"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"the <emphasis>sudoers</emphasis> entry in <citerefentry> "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"citerefentry>."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"For example, to configure sudo to first lookup rules in the standard "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"manvolnum> </citerefentry> file (which should contain rules that apply to "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"local users) and then in SSSD, the nsswitch.conf file should contain the "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"following line:"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><programlisting>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "sudoers: files sss\n"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"More information about configuring the sudoers search order from the "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"nsswitch.conf file as well as information about the LDAP schema that is used "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"to store sudo rules in the directory can be found in <citerefentry> "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"citerefentry>."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "Configuring SSSD to fetch sudo rules"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"The following example shows how to configure SSSD to download sudo rules "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"from an LDAP server."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><programlisting>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"config_file_version = 2\n"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"services = nss, pam, sudo\n"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"domains = EXAMPLE\n"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"id_provider = ldap\n"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"sudo_provider = ldap\n"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"ldap_uri = ldap://example.com\n"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"The following example illustrates setting up SSSD to download sudo rules "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"from an IPA server. It is necessary to use the LDAP provider and set "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"appropriate connection parameters to authenticate correctly against the IPA "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"server, because SSSD does not have native support of IPA provider for sudo "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><programlisting>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"config_file_version = 2\n"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"services = nss, pam, sudo\n"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"domains = EXAMPLE\n"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"id_provider = ipa\n"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"ipa_domain = example.com\n"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"ipa_server = ipa.example.com\n"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"ldap_tls_cacert = /etc/ipa/ca.crt\n"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"sudo_provider = ldap\n"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"ldap_uri = ldap://ipa.example.com\n"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"ldap_sasl_mech = GSSAPI\n"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"ldap_sasl_authid = host/hostname.example.com\n"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"ldap_sasl_realm = EXAMPLE.COM\n"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"krb5_server = ipa.example.com\n"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "The SUDO rule caching mechanism"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"The biggest challenge, when developing sudo support in SSSD, was to ensure "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"that running sudo with SSSD as the data source provides the same user "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"experience and is as fast as sudo but keeps providing the most current set "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"of rules as possible. To satisfy these requirements, SSSD uses three kinds "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"of updates. They are referred to as full refresh, smart refresh and rules "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"The <emphasis>smart refresh</emphasis> periodically downloads rules that are "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"new or were modified after the last update. Its primary goal is to keep the "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"database growing by fetching only small increments that do not generate "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"large amounts of network traffic."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"in the cache and replaces them with all rules that are stored on the server. "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"This is used to keep the cache consistent by removing every rule which was "
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"deleted from the server. However, full refresh may produce a lot of traffic "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"and thus it should be run only occasionally depending on the size and "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"stability of the sudo rules."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"more permission than defined. It is triggered each time the user runs sudo. "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"Rules refresh will find all rules that apply to this user, check their "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"expiration time and redownload them if expired. In the case that any of "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"these rules are missing on the server, the SSSD will do an out of band full "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"refresh because more rules (that apply to other users) may have been deleted."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"If enabled, SSSD will store only rules that can be applied to this machine. "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"This means rules that contain one of the following values in "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<emphasis>sudoHost</emphasis> attribute:"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "keyword ALL"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "regular expression"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "netgroup (in the form \"+netgroup\")"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "hostname or fully qualified domain name of this machine"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "one of the IP addresses of this machine"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "one of the IP addresses of the network (in the form \"address/mask\")"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"There are many configuration options that can be used to adjust the "
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "System Security Services Daemon"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sssd</command> <arg choice='opt'> <replaceable>options</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable> </arg>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>SSSD</command> provides a set of daemons to manage access to remote "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"directories and authentication mechanisms. It provides an NSS and PAM "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"interface toward the system and a pluggable backend system to connect to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"multiple different account sources as well as D-Bus interface. It is also "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"the basis to provide client auditing and policy services for projects like "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"FreeIPA. It provides a more robust database to store local users as well as "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"extended user data."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<emphasis>0</emphasis>: Disable microseconds in timestamp"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>-f</option>,<option>--debug-to-files</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Send the debug output to files instead of stderr. By default, the log files "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"are stored in <filename>/var/log/sssd</filename> and there are separate log "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"files for every SSSD service and domain."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>-D</option>,<option>--daemon</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Become a daemon after starting up."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>-i</option>,<option>--interactive</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Run in the foreground, don't become a daemon."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>-c</option>,<option>--config</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specify a non-default config file. The default is <filename>/etc/sssd/sssd."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"conf</filename>. For reference on the config file syntax and options, "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<manvolnum>5</manvolnum> </citerefentry> manual page."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>--version</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Print version number and exit."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Signals"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Informs the SSSD to gracefully terminate all of its child processes and then "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"shut down the monitor."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "SIGHUP"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Tells the SSSD to stop writing to its current debug file descriptors and to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"close and reopen them. This is meant to facilitate log rolling with programs "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"like logrotate."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "SIGUSR1"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Tells the SSSD to simulate offline operation for one minute. This is mostly "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"useful for testing purposes."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "SIGUSR2"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Tells the SSSD to go online immediately. This is mostly useful for testing "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "sss_obfuscate"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "obfuscate a clear text password"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable></arg>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sss_obfuscate</command> converts a given password into human-"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"unreadable format and places it into appropriate domain section of the SSSD "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"config file."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The cleartext password is read from standard input or entered "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"interactively. The obfuscated password is put into "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<quote>ldap_default_authtok_type</quote> parameter is set to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<quote>obfuscated_password</quote>. Refer to <citerefentry> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"citerefentry> for more details on these parameters."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Please note that obfuscating the password provides <emphasis>no real "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"security benefit</emphasis> as it is still possible for an attacker to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"reverse-engineer the password back. Using better authentication mechanisms "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>-s</option>,<option>--stdin</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The password to obfuscate will be read from standard input."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
ea929f1b022fc2cb77dec89b0e12accef983ec85Jakub Hrozek#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:79
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The SSSD domain to use the password in. The default name is <quote>default</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Read the config file specified by the positional parameter."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: <filename>/etc/sssd/sssd.conf</filename>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "sss_useradd"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "create a new user"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sss_useradd</command> creates a new user account using the values "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"specified on the command line plus the default values from the system."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Set the UID of the user to the value of <replaceable>UID</replaceable>. If "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"not given, it is chosen automatically."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Any text string describing the user. Often used as the field for the user's "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The home directory of the user account. The default is to append the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"that as the home directory. The base that is prepended before "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"baseDirectory</quote> setting in sssd.conf."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The user's login shell. The default is currently <filename>/bin/bash</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"filename>. The default can be changed with <quote>user_defaults/"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"defaultShell</quote> setting in sssd.conf."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "A list of existing groups this user is also a member of."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>-m</option>,<option>--create-home</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Create the user's home directory if it does not exist. The files and "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"directories contained in the skeleton directory (which can be defined with "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"the -k option or in the config file) will be copied to the home directory."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>-M</option>,<option>--no-create-home</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Do not create the user's home directory. Overrides configuration settings."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The skeleton directory, which contains files and directories to be copied in "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"the user's home directory, when the home directory is created by "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sss_useradd</command>."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This option is only valid if the <option>-m</option> (or <option>--create-"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"home</option>) option is specified, or creation of home directories is set "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"to TRUE in the configuration."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<option>-Z</option>,<option>--selinux-user</option> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<replaceable>SELINUX_USER</replaceable>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The SELinux user for the user's login. If not specified, the system default "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"will be used."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "sssd-krb5"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This manual page describes the configuration of the Kerberos 5 "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"authentication backend for <citerefentry> <refentrytitle>sssd</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"manvolnum> </citerefentry> manual page"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The Kerberos 5 authentication backend contains auth and chpass providers. It "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"must be paired with identity provider in order to function properly (for "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"example, id_provider = ldap). Some information required by the Kerberos 5 "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"authentication backend must be provided by the identity provider, such as "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"the user's Kerberos Principal Name (UPN). The configuration of the identity "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"provider should have an entry to specify the UPN. Please refer to the man "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"page for the applicable identity provider for details on how to configure "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This backend also provides access control based on the .k5login file in the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"home directory of the user. See <citerefentry> <refentrytitle>.k5login</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Please note that an empty .k5login file will deny all access to this user. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"To activate this feature use 'access_provider = krb5' in your sssd "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"configuration."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"In the case where the UPN is not available in the identity backend "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sssd</command> will construct a UPN using the format "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The name of the Kerberos realm. This option is required and must be "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "krb5_kpasswd, krb5_backup_kpasswd (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If the change password service is not running on the KDC alternative servers "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"can be defined here. An optional port number (preceded by a colon) may be "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"appended to the addresses or hostnames."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"For more information on failover and server redundancy, see the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<quote>FAILOVER</quote> section. Please note that even if there are no more "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"kpasswd servers to try the back end is not switch to offline if "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"authentication against the KDC is still possible."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: Use the KDC"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "krb5_ccachedir (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Directory to store credential caches. All the substitution sequences of "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"krb5_ccname_template can be used here, too, except %d and %P. If the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"directory does not exist it will be created. If %u, %U, %p or %h are used a "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"private directory belonging to the user is created. Otherwise a public "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"directory with restricted deletion flag (aka sticky bit, see <citerefentry> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<refentrytitle>chmod</refentrytitle> <manvolnum>1</manvolnum> </"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"citerefentry> for details) is created."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: /tmp"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "krb5_ccname_template (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "login UID"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "principal name"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "realm name"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "home directory"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "value of krb5ccache_dir"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "the process ID of the sssd client"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Location of the user's credential cache. Two credential cache types are "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"currently supported - <quote>FILE</quote> and <quote>DIR</quote>. The cache "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"can either be specified as <replaceable>TYPE:RESIDUAL</replaceable>, or an "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"absolute path, which implies the <quote>FILE</quote> type. In the template "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"the following sequences are substituted: <placeholder type=\"variablelist\" "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"id=\"0\"/> If the template ends with 'XXXXXX' mkstemp(3) is used to create a "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"unique filename in a safe way."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: FILE:%d/krb5cc_%U_XXXXXX"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "krb5_auth_timeout (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Timeout in seconds after an online authentication or change password request "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"is aborted. If possible the authentication request is continued offline."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "krb5_keytab (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The location of the keytab to use when validating credentials obtained from "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: /etc/krb5.keytab"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "krb5_store_password_if_offline (boolean)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Store the password of the user if the provider is offline and use it to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"request a TGT when the provider gets online again."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Please note that this feature currently only available on a Linux platform. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Passwords stored in this way are kept in plaintext in the kernel keyring and "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"are potentially accessible by the root user (with difficulty)."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "krb5_renewable_lifetime (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Request a renewable ticket with a total lifetime given by an integer "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"immediately followed by one of the following delimiters:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<emphasis>s</emphasis> seconds"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<emphasis>m</emphasis> minutes"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<emphasis>h</emphasis> hours"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<emphasis>d</emphasis> days."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Please note that it is not possible to mix units. If you want to set the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"renewable lifetime to one and a half hours please use '90m' instead of "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: not set, i.e. the TGT is not renewable"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "krb5_lifetime (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Request ticket with a with a lifetime given by an integer immediately "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"followed by one of the following delimiters:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Please note that it is not possible to mix units. If you want to set the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"lifetime to one and a half hours please use '90m' instead of '1h30m'."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Default: not set, i.e. the default ticket lifetime configured on the KDC."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "krb5_renew_interval (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The time in seconds between two checks if the TGT should be renewed. TGTs "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"are renewed if about half of their lifetime is exceeded."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "If this option is not set or 0 the automatic renewal is disabled."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "krb5_use_fast (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"authentication. The following options are supported:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"option at all."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>try</emphasis> to use FAST, if the server does not support fast "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"continue without."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Default: not set, i.e. FAST is not used."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Please note that a keytab is required to use fast."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"and above. If sssd used with an older version using this option is a "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"configuration error."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "krb5_fast_principal (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Specifies the server principal to use for FAST."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies if the host and user principal should be canonicalized. This "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"feature is available with MIT Kerberos >= 1.7"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If the auth-module krb5 is used in a SSSD domain, the following options must "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"be used. See the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<manvolnum>5</manvolnum> </citerefentry> manual page, section <quote>DOMAIN "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"SECTIONS</quote> for details on the configuration of a SSSD domain. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<placeholder type=\"variablelist\" id=\"0\"/>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The following example assumes that SSSD is correctly configured and FOO is "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"one of the domains in the <replaceable>[sssd]</replaceable> section. This "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"example shows only configuration of Kerberos authentication, it does not "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"include any identity provider."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><programlisting>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek" auth_provider = krb5\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek" krb5_server = 192.168.1.1\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek" krb5_realm = EXAMPLE.COM\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "sss_groupadd"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "create a new group"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sss_groupadd</command> creates a new group. These groups are "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"compatible with POSIX groups, with the additional feature that they can "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"contain other groups as members."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Set the GID of the group to the value of <replaceable>GID</replaceable>. If "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"not given, it is chosen automatically."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "sss_userdel"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "delete a user account"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sss_userdel</command> deletes a user identified by login name "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<replaceable>LOGIN</replaceable> from the system."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>-r</option>,<option>--remove</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Files in the user's home directory will be removed along with the home "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"directory itself and the user's mail spool. Overrides the configuration."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>-R</option>,<option>--no-remove</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Files in the user's home directory will NOT be removed along with the home "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"directory itself and the user's mail spool. Overrides the configuration."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>-f</option>,<option>--force</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"This option forces <command>sss_userdel</command> to remove the user's home "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"directory and mail spool, even if they are not owned by the specified user."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>-k</option>,<option>--kick</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Before actually deleting the user, terminate all his processes."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "sss_groupdel"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "delete a group"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sss_groupdel</command> deletes a group identified by its name "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<replaceable>GROUP</replaceable> from the system."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "sss_groupshow"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "print properties of a group"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sss_groupshow</command> displays information about a group "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"identified by its name <replaceable>GROUP</replaceable>. The information "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"includes the group ID number, members of the group and the parent group."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>-R</option>,<option>--recursive</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Also print indirect group members in a tree-like hierarchy. Note that this "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"also affects printing parent groups - without <option>R</option>, only the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"direct parent will be printed."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "sss_usermod"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "modify a user account"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sss_usermod</command> modifies the account specified by "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<replaceable>LOGIN</replaceable> to reflect the changes that are specified "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"on the command line."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The home directory of the user account."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The user's login shell."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Append this user to groups specified by the <replaceable>GROUPS</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"a comma separated list of group names."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Remove this user from groups specified by the <replaceable>GROUPS</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable> parameter."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>-l</option>,<option>--lock</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Lock the user account. The user won't be able to log in."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>-u</option>,<option>--unlock</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Unlock the user account."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The SELinux user for the user's login."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "sss_cache"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "perform cache cleanup"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable> </arg>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"records are forced to be reloaded from server as soon as related SSSD "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"backend is online."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Invalidate specific user."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>-U</option>,<option>--users</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Invalidate all user records. This option overrides invalidation of specific "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"user if it was also set."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Invalidate specific group."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>-G</option>,<option>--groups</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Invalidate all group records. This option overrides invalidation of specific "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"group if it was also set."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Invalidate specific netgroup."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>-N</option>,<option>--netgroups</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Invalidate all netgroup records. This option overrides invalidation of "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"specific netgroup if it was also set."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<option>-s</option>,<option>--service</option> <replaceable>service</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Invalidate specific service."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>-S</option>,<option>--services</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Invalidate all service records. This option overrides invalidation of "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"specific service if it was also set."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Invalidate specific autofs maps."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<option>-A</option>,<option>--autofs-maps</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Invalidate all autofs maps. This option overrides invalidation of specific "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"map if it was also set."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<option>-d</option>,<option>--domain</option> <replaceable>domain</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Restrict invalidation process only to a particular domain."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "sss_debuglevel"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "change debug level while SSSD is running"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"replaceable></arg>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sss_debuglevel</command> changes debug level of SSSD monitor and "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"providers to <replaceable>NEW_DEBUG_LEVEL</replaceable> while SSSD is "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<replaceable>NEW_DEBUG_LEVEL</replaceable>"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "sss_seed"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "seed the SSSD cache with a user"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<command>sss_seed</command> seeds the SSSD cache with a user entry and "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"temporary password. If a user entry is already present in the SSSD cache "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"then the entry is updated with the temporary password."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"replaceable>"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"Provide the name of the domain in which the user is a member of. The domain "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"is also used to retrieve user information. The domain must be configured in "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"Information retrieved from the domain overrides what is provided in the "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<option>-n</option>,<option>--username</option> <replaceable>USER</"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"replaceable>"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"The username of the entry to be created or modified in the cache. The "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<replaceable>USER</replaceable> option must be provided."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "Set the UID of the user to <replaceable>UID</replaceable>."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "Set the GID of the user to <replaceable>GID</replaceable>."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "Set the login shell of the user to <replaceable>SHELL</replaceable>."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"Interactive mode for entering user information. This option will only prompt "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"for information not provided in the options or retrieved from the domain."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"replaceable>"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"Specify file to read user's password from. (if not specified password is "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"prompted for)"
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"The length of the password (or the size of file specified with -p or --"
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"on systems with no globally-defined PASS_MAX value)."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "sss_ssh_authorizedkeys"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refmeta><manvolnum>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "get OpenSSH authorized keys"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<replaceable>options</replaceable> </arg> <arg "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"choice='plain'><replaceable>USER</replaceable></arg>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"citerefentry> for more information)."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"command> for public key user authentication if it is compiled with support "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"for either <quote>AuthorizedKeysCommand</quote> or <quote>PubkeyAgent</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"quote> <citerefentry> <refentrytitle>sshd_config</refentrytitle> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<manvolnum>5</manvolnum></citerefentry> options."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><programlisting>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If <quote>AuthorizedKeysCommand</quote> is supported, "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"citerefentry> can be configured to use it by putting the following directive "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"in <citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"manvolnum></citerefentry>: <placeholder type=\"programlisting\" id=\"0\"/>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><programlisting>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "PubKeyAgent /usr/bin/sss_ssh_authorizedkeys %u\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If <quote>PubkeyAgent</quote> is supported, "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"citerefentry> can be configured to use it by using the following directive "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"for <citerefentry> <refentrytitle>sshd</refentrytitle> <manvolnum>8</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"manvolnum></citerefentry> configuration: <placeholder type=\"programlisting"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"\" id=\"0\"/>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "sss_ssh_knownhostsproxy"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "get OpenSSH host keys"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<replaceable>options</replaceable> </arg> <arg "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"choice='plain'><replaceable>HOST</replaceable></arg> <arg "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"pubconf/known_hosts</filename> and estabilishes connection to the host."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"create the connection to the host instead of opening a socket."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><programlisting>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"command> for host key authentication by using the following directives for "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Use port <replaceable>PORT</replaceable> to connect to the host. By "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"default, port 22 is used."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "SERVICE DISCOVERY"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The service discovery feature allows back ends to automatically find the "
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"appropriate servers to connect to using a special DNS query. This feature is "
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"not supported for backup servers."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#: include/service_discovery.xml:9 include/ldap_id_mapping.xml:57
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Configuration"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If no servers are specified, the back end automatically uses service "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"discovery to try to find a server. Optionally, the user may choose to use "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"both fixed server addresses and service discovery by inserting a special "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"keyword, <quote>_srv_</quote>, in the list of servers. The order of "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"preference is maintained. This feature is useful if, for example, the user "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"prefers to use service discovery whenever possible, and fall back to a "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"specific server when no servers can be discovered using DNS."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The domain name"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Please refer to the <quote>dns_discovery_domain</quote> parameter in the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"manvolnum> </citerefentry> manual page for more details."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The protocol"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The queries usually specify _tcp as the protocol. Exceptions are documented "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"in respective option description."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "See Also"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"For more information on the service discovery mechanism, refer to RFC 2782."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: outside any tag (error?)
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<placeholder type=\"refentryinfo\" id=\"0\"/>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "FAILOVER"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The failover feature allows back ends to automatically switch to a different "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"server if the current server fails."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Failover Syntax"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The list of servers is given as a comma-separated list; any number of spaces "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"is allowed around the comma. The servers are listed in order of preference. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The list can contain any number of servers."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <refsect1><refsect2><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"For each failover-enabled config option, two variants exist: "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<emphasis>primary</emphasis> and <emphasis>backup</emphasis>. The idea is "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"that servers in the primary list are preferred and backup servers are only "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"searched if no primary servers can be reached. If a backup server is "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"selected, a timeout of 30 seconds is set. After this timeout SSSD will "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"periodically try to reconnect to one of the primary servers. If it succeeds, "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"it will replace the current active (backup) server."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "The Failover Mechanism"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The failover mechanism distinguishes between a machine and a service. The "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"back end first tries to resolve the hostname of a given machine; if this "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"resolution attempt fails, the machine is considered offline. No further "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"attempts are made to connect to this machine for any other service. If the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"resolution attempt succeeds, the back end tries to connect to a service on "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"this machine. If the service connection attempt fails, then only this "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"particular service is considered offline and the back end automatically "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"switches over to the next service. The machine is still considered online "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"and might still be tried for another service."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Further connection attempts are made to machines or services marked as "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"offline after a specified period of time; this is currently hard coded to 30 "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"If there are no more machines to try, the back end as a whole switches to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"offline mode, and then attempts to reconnect every 30 seconds."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ID MAPPING"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The ID-mapping feature allows SSSD to act as a client of Active Directory "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"without requiring administrators to extend user attributes to support POSIX "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"attributes for user and group identifiers."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"NOTE: When ID-mapping is enabled, the uidNumber and gidNumber attributes are "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"ignored. This is to avoid the possibility of conflicts between automatically-"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"assigned and manually-assigned values. If you need to use manually-assigned "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"values, ALL values must be manually-assigned."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Mapping Algorithm"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Active Directory provides an objectSID for every user and group object in "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"the directory. This objectSID can be broken up into components that "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"represent the Active Directory domain identity and the relative identifier "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"(RID) of the user or group object."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The SSSD ID-mapping algorithm takes a range of available UIDs and divides it "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"into equally-sized component sections - called \"slices\"-. Each slice "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"represents the space available to an Active Directory domain."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"When a user or group entry for a particular domain is encountered for the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"first time, the SSSD allocates one of the available slices for that domain. "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"In order to make this slice-assignment repeatable on different client "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"machines, we select the slice based on the following algorithm:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The SID string is passed through the murmurhash3 algorithm to convert it to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"a 32-bit hashed value. We then take the modulus of this value with the total "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"number of available slices to pick the slice."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"NOTE: It is possible to encounter collisions in the hash and subsequent "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"modulus. In these situations, we will select the next available slice, but "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"it may not be possible to reproduce the same exact set of slices on other "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"machines (since the order that they are encountered will determine their "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"slice). In this situation, it is recommended to either switch to using "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"explicit POSIX attributes in Active Directory (disabling ID-mapping) or "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"configure a default domain to guarantee that at least one is always "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"consistent. See <quote>Configuration</quote> for details."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Minimum configuration (in the <quote>[domain/DOMAINNAME]</quote> section):"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><para><programlisting>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"ldap_id_mapping = True\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"ldap_schema = ad\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The default configuration results in configuring 10,000 slices, each capable "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"of holding up to 200,000 IDs, starting from 10,001 and going up to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"2,000,100,000. This should be sufficient for most deployments."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><refsect3><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Advanced Configuration"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_idmap_range_min (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies the lower bound of the range of POSIX IDs to use for mapping "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Active Directory user and group SIDs."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"NOTE: This option is different from <quote>min_id</quote> in that "
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"<quote>min_id</quote> acts to filter the output of requests to this domain, "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"whereas this option controls the range of ID assignment. This is a subtle "
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"distinction, but the good general advice would be to have <quote>min_id</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"quote> be less-than or equal to <quote>ldap_idmap_range_min</quote>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek#: include/ldap_id_mapping.xml:95 include/ldap_id_mapping.xml:131
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozekmsgid "Default: 200000"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_idmap_range_max (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies the upper bound of the range of POSIX IDs to use for mapping "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Active Directory user and group SIDs."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"NOTE: This option is different from <quote>max_id</quote> in that "
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"<quote>max_id</quote> acts to filter the output of requests to this domain, "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"whereas this option controls the range of ID assignment. This is a subtle "
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"distinction, but the good general advice would be to have <quote>max_id</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"quote> be greater-than or equal to <quote>ldap_idmap_range_max</quote>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozekmsgid "Default: 2000200000"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_idmap_range_size (integer)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specifies the number of IDs available for each slice. If the range size "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"does not divide evenly into the min and max values, it will create as many "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"complete slices as it can."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_idmap_default_domain_sid (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Specify the domain SID of the default domain. This will guarantee that this "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"domain will always be assigned to slice zero in the ID map, bypassing the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"murmurhash algorithm described above."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_idmap_default_domain (string)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Specify the name of the default domain."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "ldap_idmap_autorid_compat (boolean)"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Changes the behavior of the ID-mapping algorithm to behave more similarly to "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"winbind's <quote>idmap_autorid</quote> algorithm."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"When this option is configured, domains will be allocated starting with "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"slice zero and increasing monatomically with each additional domain."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"NOTE: This algorithm is non-deterministic (it depends on the order that "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"users and groups are requested). If this mode is required for compatibility "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"with machines running winbind, it is recommended to also use the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<quote>ldap_idmap_default_domain_sid</quote> option to guarantee that at "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"least one domain is consistently allocated to slice zero."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <varlistentry><term>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozekmsgid "<option>-?</option>,<option>--help</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#: include/param_help.xml:7 include/param_help_py.xml:7
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Display help message and exit."
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <varlistentry><term>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozekmsgid "<option>-h</option>,<option>--help</option>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Bit mask that indicates which debug levels will be visible. 0x0010 is the "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"default value as well as the lowest allowed value, 0xFFF0 is the most "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"verbose mode. This setting overrides the settings from config file."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "Currently supported debug levels:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>0x0010</emphasis>: Fatal failures. Anything that would prevent "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"SSSD from starting up or causes it to cease running."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>0x0020</emphasis>: Critical failures. An error that doesn't kill "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"the SSSD, but one that indicates that at least one major feature is not "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"going to work properly."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>0x0040</emphasis>: Serious failures. An error announcing that a "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"particular request or operation has failed."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>0x0080</emphasis>: Minor failures. These are the errors that would "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"percolate down to cause the operation failure of 2."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<emphasis>0x0100</emphasis>: Configuration settings."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<emphasis>0x0200</emphasis>: Function data."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<emphasis>0x0400</emphasis>: Trace messages for operation functions."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>0x1000</emphasis>: Trace messages for internal control functions."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>0x2000</emphasis>: Contents of function-internal variables that "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"may be interesting."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "<emphasis>0x4000</emphasis>: Extremely low-level tracing information."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"To log required debug levels, simply add their numbers together as shown in "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"following examples:"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>Example</emphasis>: To log fatal failures, critical failures, "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"serious failures and function data use 0x0270."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>Example</emphasis>: To log fatal failures, configuration settings, "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"function data, trace messages for internal control functions use 0x1310."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <listitem><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis>Note</emphasis>: This is new format of debug levels introduced in "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"1.7.0. Older format (numbers from 0-10) is compatible but deprecated."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: outside any tag (error?)
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<emphasis> This is an experimental feature, please use http://fedorahosted."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"org/sssd to report any issues. </emphasis>"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "THE LOCAL DOMAIN"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"In order to function correctly, a domain with <quote>id_provider=local</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"quote> must be created and the SSSD must be running."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"The administrator might want to use the SSSD local users instead of "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"traditional UNIX users in cases where the group nesting (see <citerefentry> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<refentrytitle>sss_groupadd</refentrytitle> <manvolnum>8</manvolnum> </"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"citerefentry>) is needed. The local users are also useful for testing and "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"development of the SSSD without having to deploy a full remote server. The "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<command>sss_user*</command> and <command>sss_group*</command> tools use a "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"local LDB storage to store users and groups."
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><title>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozekmsgid "SEE ALSO"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek#. type: Content of: <refsect1><para>
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<refentrytitle>sssd-simple</refentrytitle><manvolnum>5</manvolnum> </"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"citerefentry>, <citerefentry> <refentrytitle>sssd-ipa</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<refentrytitle>sssd-ad</refentrytitle><manvolnum>5</manvolnum> </"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"citerefentry>, <phrase condition=\"with_sudo\"> <citerefentry> "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<refentrytitle>sssd-sudo</refentrytitle> <manvolnum>5</manvolnum> </"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"citerefentry>, </phrase> <citerefentry> <refentrytitle>sss_cache</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<refentrytitle>sss_debuglevel</refentrytitle><manvolnum>8</manvolnum> </"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"citerefentry>, <citerefentry> <refentrytitle>sss_groupadd</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</manvolnum> </"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"citerefentry>, <citerefentry> <refentrytitle>sss_groupshow</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum> </"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"citerefentry>, <citerefentry> <refentrytitle>sss_useradd</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> </"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"<refentrytitle>sss_obfuscate</refentrytitle><manvolnum>8</manvolnum> </"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"citerefentry>, <citerefentry> <refentrytitle>sss_seed</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle><manvolnum>8</"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"manvolnum> </citerefentry>, <phrase condition=\"with_ssh\"> <citerefentry> "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<refentrytitle>sss_ssh_authorizedkeys</refentrytitle> <manvolnum>8</"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"manvolnum> </citerefentry>, <citerefentry> "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<refentrytitle>sss_ssh_knowhostsproxy</refentrytitle> <manvolnum>8</"
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"manvolnum> </citerefentry>, </phrase> <citerefentry> <refentrytitle>pam_sss</"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek#. type: Content of: <listitem><para>
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"An optional base DN, search scope and LDAP filter to restrict LDAP searches "
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"for this attribute type."
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek#. type: Content of: <listitem><para><programlisting>
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozekmsgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]\n"
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek#. type: Content of: <listitem><para>
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozekmsgid "syntax: <placeholder type=\"programlisting\" id=\"0\"/>"
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek#. type: Content of: <listitem><para>
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek#: include/ldap_search_bases_experimental.xml:13
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"The scope can be one of \"base\", \"onelevel\" or \"subtree\". The filter "
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"must be a valid LDAP search filter as specified by http://www.ietf.org/rfc/"
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek#. type: Content of: <listitem><para>
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek#: include/ldap_search_bases_experimental.xml:19
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"For examples of this syntax, please refer to the <quote>ldap_search_base</"
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"quote> examples section."
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#: include/ldap_search_bases_experimental.xml:27
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"Please note that specifying scope or filter is not supported for searches "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"against an Active Directory Server that might yield a large number of "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"results and trigger the Range Retrieval extension in the response."
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"Please note that the automounter only reads the master map on startup, so if "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"any autofs-related changes are made to the sssd.conf, you typically also "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"need to restart the automounter daemon after restarting the SSSD."