nl.po revision 0172959f117b545c8a6b1893f5f56818d82dd624
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher# SOME DESCRIPTIVE TITLE
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher# Copyright (C) YEAR Red Hat
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher# This file is distributed under the same license as the sssd-docs package.
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek# Wijnand Modderman-Lenstra <accounts-transifex@maze.io>, 2011
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Project-Id-Version: SSSD\n"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
0172959f117b545c8a6b1893f5f56818d82dd624Jakub Hrozek"POT-Creation-Date: 2013-06-27 21:10+0300\n"
0172959f117b545c8a6b1893f5f56818d82dd624Jakub Hrozek"PO-Revision-Date: 2013-06-11 15:21+0000\n"
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"Last-Translator: jhrozek <jhrozek@redhat.com>\n"
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"Language-Team: Dutch (http://www.transifex.com/projects/p/fedora/language/"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"Language: nl\n"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"MIME-Version: 1.0\n"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Content-Type: text/plain; charset=UTF-8\n"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Content-Transfer-Encoding: 8bit\n"
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"Plural-Forms: nplurals=2; plural=(n != 1);\n"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><title>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#: sssd_krb5_locator_plugin.8.xml:5 sssd-simple.5.xml:5 sssd-ipa.5.xml:5
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#: sssd-ad.5.xml:5 sssd-sudo.5.xml:5 sssd.8.xml:5 sss_obfuscate.8.xml:5
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#: sss_useradd.8.xml:5 sssd-krb5.5.xml:5 sss_groupadd.8.xml:5
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#: sss_userdel.8.xml:5 sss_groupdel.8.xml:5 sss_groupshow.8.xml:5
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#: sss_usermod.8.xml:5 sss_cache.8.xml:5 sss_debuglevel.8.xml:5
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#: sss_seed.8.xml:5 sss_ssh_authorizedkeys.1.xml:5
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "SSSD Manual pages"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgstr "SSSD handleiding"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refnamediv><refname>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#: sss_groupmod.8.xml:10 sss_groupmod.8.xml:15
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "sss_groupmod"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgstr "sss_groupmod"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refmeta><manvolnum>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#: sss_groupmod.8.xml:11 pam_sss.8.xml:14 sssd_krb5_locator_plugin.8.xml:11
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#: sssd.8.xml:11 sss_obfuscate.8.xml:11 sss_useradd.8.xml:11
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#: sss_groupadd.8.xml:11 sss_userdel.8.xml:11 sss_groupdel.8.xml:11
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#: sss_groupshow.8.xml:11 sss_usermod.8.xml:11 sss_cache.8.xml:11
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refnamediv><refpurpose>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "modify a group"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgstr "muteer een groep"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<command>sss_groupmod</command> <arg choice='opt'> <replaceable>options</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<command>sss_groupmod</command> <arg choice='opt'> <replaceable>opties</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"replaceable> </arg> <arg choice='plain'><replaceable>GROEP</replaceable></"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><title>
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:44
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#: sssd-ad.5.xml:21 sssd-sudo.5.xml:21 sssd.8.xml:29 sss_obfuscate.8.xml:30
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#: sss_useradd.8.xml:30 sssd-krb5.5.xml:21 sss_groupadd.8.xml:30
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#: sss_userdel.8.xml:30 sss_groupdel.8.xml:30 sss_groupshow.8.xml:30
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#: sss_usermod.8.xml:30 sss_cache.8.xml:29 sss_debuglevel.8.xml:30
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#: sss_seed.8.xml:31 sss_ssh_authorizedkeys.1.xml:30
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "DESCRIPTION"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgstr "OMSCHRIJVING"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<command>sss_groupmod</command> modifies the group to reflect the changes "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"that are specified on the command line."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<command>sss_groupmod</command> muteert de groep en maakt de aanpassingen "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"die via de opdrachtregel ingegeven zijn."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><title>
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher#: sss_groupmod.8.xml:39 pam_sss.8.xml:51 sssd.8.xml:42 sss_obfuscate.8.xml:58
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#: sss_cache.8.xml:38 sss_debuglevel.8.xml:38 sss_seed.8.xml:42
ea929f1b022fc2cb77dec89b0e12accef983ec85Jakub Hrozek#: sss_ssh_authorizedkeys.1.xml:75 sss_ssh_knownhostsproxy.1.xml:62
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "OPTIONS"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgstr "OPTIES"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#: sss_groupmod.8.xml:43 sss_usermod.8.xml:77
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<option>-a</option>,<option>--append-group</option> <replaceable>GROUPS</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<option>-a</option>,<option>--append-group</option> <replaceable>GROEPEN</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"Append this group to groups specified by the <replaceable>GROUPS</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"a comma separated list of group names."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"Voeg deze groep toe aan de groepen opgegeven met de <replaceable>GROEPEN</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"replaceable> parameter. De <replaceable>GROEPEN</replaceable> parameter is "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"een kommagescheiden lijst van groepnamen."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#: sss_groupmod.8.xml:57 sss_usermod.8.xml:91
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<option>-r</option>,<option>--remove-group</option> <replaceable>GROUPS</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<option>-r</option>,<option>--remove-group</option> <replaceable>GROEPEN</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"Remove this group from groups specified by the <replaceable>GROUPS</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"replaceable> parameter."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"Verwijder deze groep uit de groepen opgegeven in de <replaceable>GROEPEN</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"replaceable> parameter."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refnamediv><refname>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refmeta><manvolnum>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#: sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 sssd-krb5.5.xml:11
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refmeta><refmiscinfo>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#: sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 sssd-krb5.5.xml:12
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "File Formats and Conventions"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgstr "Bestandsformaten en conventies"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refnamediv><refpurpose>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#: sssd.conf.5.xml:17 sssd-ldap.5.xml:17 sssd_krb5_locator_plugin.8.xml:16
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#: sssd-ipa.5.xml:17 sssd-ad.5.xml:17 sssd-krb5.5.xml:17
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "the configuration file for SSSD"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgstr "het configuratiebestand voor SSSD"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><title>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "FILE FORMAT"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgstr "BESTANDSFORMAAT"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><programlisting>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher" <replaceable>[section]</replaceable>\n"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher" <replaceable>key</replaceable> = <replaceable>value</replaceable>\n"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher" <replaceable>key2</replaceable> = <replaceable>value2,value3</replaceable>\n"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher" <replaceable>[sectie]</replaceable>\n"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher" <replaceable>sleutel</replaceable> = <replaceable>waarde</replaceable>\n"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher" <replaceable>sleutel2</replaceable> = <replaceable>waarde2,waarde3</replaceable>\n"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"The file has an ini-style syntax and consists of sections and parameters. A "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"section begins with the name of the section in square brackets and continues "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"until the next section begins. An example of section with single and multi-"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"valued parameters: <placeholder type=\"programlisting\" id=\"0\"/>"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Het bestand heeft een ini-stijl syntaxis en bestaat uit secties en "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"parameters. Een sectie begint met de naam van de sectie in rechte haken en "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"gaat verder totdat de volgende sectie begint. Een voorbeeld van een sectie "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"met een enkele en een meervoudige parameter: <placeholder type="
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"\"programlisting\" id=\"0\"/>"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"The data types used are string (no quotes needed), integer and bool (with "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"values of <quote>TRUE/FALSE</quote>)."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"De datatypes gebruikt zijn tekst (geen quotes vereisd), numeriek en "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"booleaans (met de waardes <quote>TRUE/FALSE</quote>)."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"A line comment starts with a hash sign (<quote>#</quote>) or a semicolon "
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher"(<quote>;</quote>). Inline comments are not supported."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"All sections can have an optional <replaceable>description</replaceable> "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"parameter. Its function is only as a label for the section."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Alle secties kunnen een optionele <replaceable>description</replaceable> "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"parameter bevatten. Dit fungeert slechts als label voor de sectie."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<filename>sssd.conf</filename> must be a regular file, owned by root and "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"only root may read from or write to the file."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<filename>sssd.conf</filename> moet een standaardbestand zijn, de eigenaar "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"moet root zijn en alleen root mag hem lezen en schrijven."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><title>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "SPECIAL SECTIONS"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgstr "SPECIALE SECTIES"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><title>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "The [sssd] section"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgstr "De [sssd] sectie"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Section parameters"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgstr "Sectie parameters"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "config_file_version (integer)"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgstr "config_file_version (numeriek)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Indicates what is the syntax of the config file. SSSD 0.6.0 and later use "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Geeft aan welke syntaxis de configuratie gebruikt. SSSD 0.6.0 en hoger "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"gebruiken versie 2."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "services"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgstr "diensten"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Comma separated list of services that are started when sssd itself starts."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Kommagescheiden lijst van diensten die gestart worden als sssd zelf start."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"Supported services: nss, pam <phrase condition=\"with_sudo\">, sudo</phrase> "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"<phrase condition=\"with_autofs\">, autofs</phrase> <phrase condition="
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher"\"with_ssh\">, ssh</phrase> <phrase condition=\"with_pac_responder\">, pac</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "reconnection_retries (integer)"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgstr "reconnection_retries (numeriek)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Number of times services should attempt to reconnect in the event of a Data "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Provider crash or restart before they give up"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Aantal keer dat de service moet proberen om opnieuw te verbinden indien een "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Data Aanbieder crashed of opnieuw start voordat dit opgegeven wordt"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: 3"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgstr "Standaard: 3"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "domains"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgstr "domeinen"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"A domain is a database containing user information. SSSD can use more "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"domains at the same time, but at least one must be configured or SSSD won't "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"start. This parameter described the list of domains in the order you want "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"them to be queried. A domain name should only consist of alphanumeric ASCII "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"characters, dashes and underscores."
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "re_expression (string)"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgstr "re_expression (tekst)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher"Default regular expression that describes how to parse the string containing "
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher"user name and domain into these components."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"Each domain can have an individual regular expression configured. For some "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"ID providers there are also default regular expressions. See DOMAIN "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"SECTIONS for more info on these regular expressions."
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "full_name_format (string)"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgstr "full_name_format (tekst)"
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"manvolnum> </citerefentry>-compatible format that describes how to compose a "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"fully qualified name from user name and domain name components."
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozekmsgid "user name"
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozekmsgid "domain name as specified in the SSSD config file."
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"domain flat name. Mostly usable for Active Directory domains, both directly "
0172959f117b545c8a6b1893f5f56818d82dd624Jakub Hrozek"configured or discovered via IPA trusts."
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"The following expansions are supported: <placeholder type=\"variablelist\" "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher"Each domain can have an individual format string configured. see DOMAIN "
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher"SECTIONS for more info on this option."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "try_inotify (boolean)"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgstr "try_inotify (bool)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"SSSD monitors the state of resolv.conf to identify when it needs to update "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"its internal DNS resolver. By default, we will attempt to use inotify for "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"this, and will fall back to polling resolv.conf every five seconds if "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"inotify cannot be used."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"SSSD houdt de stat van resolv.conf in de gaten om te zien wanneer de interne "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"DNS-resolver bijgewerkt moet worden. Standaard wordt er geprobeerd om "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"inotify te gebruiken en er wordt teruggevallen op iedere vijf seconden "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"kijken of resolv.conf gewijzigd is als er geen inotify beschikbaar is."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"There are some limited situations where it is preferred that we should skip "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"even trying to use inotify. In these rare cases, this option should be set "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"Er zijn een aantal situaties waarin het de voorkeur heeft dat we het gebruik "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"van inotify uitschakelen. In deze zeldzame gevallen kan de optie op 'false' "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Default: true on platforms where inotify is supported. False on other "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Standaard: true op systemen waar inotify is ondersteund. False op andere "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Note: this option will have no effect on platforms where inotify is "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"unavailable. On these platforms, polling will always be used."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Merk op: deze optie heeft geen effect op systemen waar inotify niet "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"beschikbaar is. Op deze systemen wordt altijd periodiek gekeken naar resolv."
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallaghermsgid "krb5_rcache_dir (string)"
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher"Directory on the filesystem where SSSD should store Kerberos replay cache "
b355dcb54194f498921743ca33304eac35d89718Stephen Gallagher"Map in het bestandssysteem waarin SSSD Kerberos replay cache bestanden moet "
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher"This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct "
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher"SSSD to let libkrb5 decide the appropriate location for the replay cache."
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher"Default: Distribution-specific and specified at build-time. "
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher"(__LIBKRB5_DEFAULTS__ if not configured)"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozekmsgid "default_domain_suffix (string)"
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"This string will be used as a default domain name for all names without a "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"domain name component. The main use case is environments where the primary "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"domain is intended for managing host policies and all users are located in a "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"trusted domain. The option allows those users to log in just with their "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"user name without giving a domain name as well."
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"Please note that if this option is set all users from the primary domain "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"have to use their fully qualified name, e.g. user@domain.name, to log in."
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#: sssd.conf.5.xml:256 sssd-ldap.5.xml:1371 sssd-ldap.5.xml:1383
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#: sssd-ldap.5.xml:1444 sssd-ldap.5.xml:2325 sssd-ldap.5.xml:2352
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#: sssd-krb5.5.xml:388 include/ldap_id_mapping.xml:145
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozekmsgid "Default: not set"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Individual pieces of SSSD functionality are provided by special SSSD "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"services that are started and stopped together with SSSD. The services are "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"managed by a special service frequently called <quote>monitor</quote>. The "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<quote>[sssd]</quote> section is used to configure the monitor as well as "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"some other important options like the identity domains. <placeholder type="
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"\"variablelist\" id=\"0\"/>"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><title>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "SERVICES SECTIONS"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgstr "SERVICES SECTIE"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Settings that can be used to configure different services are described in "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"this section. They should reside in the [<replaceable>$NAME</replaceable>] "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"section, for example, for NSS service, the section would be <quote>[nss]</"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><title>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "General service configuration options"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgstr "Algemene service configuratie-opties"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "These options can be used to configure any service."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgstr "Deze opties kunnen gebruikt worden om services te configureren."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "debug_level (integer)"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgstr "debug_level (numeriek)"
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "debug_timestamps (bool)"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgstr "debug_timestamps (bool)"
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Add a timestamp to the debug messages"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgstr "Voeg een tijdstempel toe aan de debugberichten"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#: sssd.conf.5.xml:292 sssd.conf.5.xml:472 sssd.conf.5.xml:819
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#: sssd-ldap.5.xml:1517 sssd-ldap.5.xml:1614 sssd-ldap.5.xml:1671
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#: sssd-ldap.5.xml:2113 sssd-ldap.5.xml:2178 sssd-ldap.5.xml:2196
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#: sssd-ipa.5.xml:361 sssd-ipa.5.xml:396 sssd-ad.5.xml:156 sssd-ad.5.xml:181
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: true"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgstr "Standaard: true"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallaghermsgid "debug_microseconds (bool)"
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallaghermsgid "Add microseconds to the timestamp in debug messages"
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#: sssd.conf.5.xml:303 sssd.conf.5.xml:773 sssd.conf.5.xml:1712
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#: sssd-ldap.5.xml:640 sssd-ldap.5.xml:1412 sssd-ldap.5.xml:1431
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#: sssd-ldap.5.xml:1586 sssd-ldap.5.xml:1909 sssd-ipa.5.xml:139
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#: sssd-ipa.5.xml:205 sssd-ipa.5.xml:473 sssd-krb5.5.xml:244
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallaghermsgid "Default: false"
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallaghermsgid "timeout (integer)"
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"Timeout in seconds between heartbeats for this service. This is used to "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"ensure that the process is alive and capable of answering requests."
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallaghermsgid "Default: 10"
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallaghermsgid "fd_limit"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"This option specifies the maximum number of file descriptors that may be "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"opened at one time by this SSSD process. On systems where SSSD is granted "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"the CAP_SYS_RESOURCE capability, this will be an absolute setting. On "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"systems without this capability, the resulting value will be the lower value "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"of this or the limits.conf \"hard\" limit."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallaghermsgid "Default: 8192 (or limits.conf \"hard\" limit)"
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallaghermsgid "client_idle_timeout"
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher"This option specifies the number of seconds that a client of an SSSD process "
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher"can hold onto a file descriptor without communicating on it. This value is "
7797e361155f7ce937085fd98e360469d7baf1b6Jakub Hrozek"limited in order to avoid resource exhaustion on the system."
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#: sssd.conf.5.xml:361 sssd.conf.5.xml:377 sssd.conf.5.xml:591
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#: sssd.conf.5.xml:751 sssd.conf.5.xml:983 sssd-ldap.5.xml:1113
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozekmsgid "Default: 60"
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozekmsgid "force_timeout (integer)"
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"If a service is not responding to ping checks (see the <quote>timeout</"
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"quote> option), it is first sent the SIGTERM signal that instructs it to "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"quit gracefully. If the service does not terminate after "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"<quote>force_timeout</quote> seconds, the monitor will forcibly shut it down "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"by sending a SIGKILL signal."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><title>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "NSS configuration options"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgstr "NSS configuratie-opties"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><para>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"These options can be used to configure the Name Service Switch (NSS) service."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"Deze opties kunnen worden gebruikt om de Name Serice Switch (NSS) service te "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "enum_cache_timeout (integer)"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgstr "enum_cache_timeout (numeriek)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"How many seconds should nss_sss cache enumerations (requests for info about "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Hoeveel seconden zouden nss_sss cache enumeraties (verzoeken om informatie "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"over alle gebruikers)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: 120"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgstr "Standaard: 120"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "entry_cache_nowait_percentage (integer)"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgstr "entry_cache_nowait_percentage (numeriek)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"The entry cache can be set to automatically update entries in the background "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"if they are requested beyond a percentage of the entry_cache_timeout value "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"for the domain."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"For example, if the domain's entry_cache_timeout is set to 30s and "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"after 15 seconds past the last cache update will be returned immediately, "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"but the SSSD will go and update the cache on its own, so that future "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"requests will not need to block waiting for a cache update."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Valid values for this option are 0-99 and represent a percentage of the "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"entry_cache_timeout for each domain. For performance reasons, this "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"percentage will never reduce the nowait timeout to less than 10 seconds. (0 "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"disables this feature)"
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallaghermsgid "Default: 50"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "entry_negative_timeout (integer)"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgstr "entry_negative_timeout (numeriek)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Specifies for how many seconds nss_sss should cache negative cache hits "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"(that is, queries for invalid database entries, like nonexistent ones) "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"before asking the back end again."
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: 15"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "filter_users, filter_groups (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Exclude certain users from being fetched from the sss NSS database. This is "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"particularly useful for system accounts. This option can also be set per-"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"domain or include fully-qualified names to filter only users from the "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"particular domain."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: root"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "filter_users_in_groups (bool)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"If you want filtered user still be group members set this option to false."
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozekmsgid "fallback_homedir (string)"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"Set a default template for a user's home directory if one is not specified "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"explicitly by the domain's data provider."
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"The available values for this option are the same as for override_homedir."
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"override_homedir = /home/%u\n"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#: sssd.conf.5.xml:490 include/override_homedir.xml:44
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "example: <placeholder type=\"programlisting\" id=\"0\"/>"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallaghermsgid "Default: not set (no substitution for unset home directories)"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "override_shell (string)"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"Override the login shell for all users. This option can be specified "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"globally in the [nss] section or per-domain."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "Default: not set (SSSD will use the value retrieved from LDAP)"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallaghermsgid "allowed_shells (string)"
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher"Restrict user shell to one of the listed values. The order of evaluation is:"
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallaghermsgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used."
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher"2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</"
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher"quote>, use the value of the shell_fallback parameter."
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher"3. If the shell is not in the allowed_shells list and not in <quote>/etc/"
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher"shells</quote>, a nologin shell is used."
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallaghermsgid "An empty string for shell is passed as-is to libc."
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher"The <quote>/etc/shells</quote> is only read on SSSD start up, which means "
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher"that a restart of the SSSD is required in case a new shell is installed."
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallaghermsgid "Default: Not set. The user shell is automatically used."
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallaghermsgid "vetoed_shells (string)"
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallaghermsgid "Replace any instance of these shells with the shell_fallback"
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallaghermsgid "shell_fallback (string)"
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher"The default shell to use if an allowed shell is not installed on the machine."
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallaghermsgid "Default: /bin/sh"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallaghermsgid "default_shell"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"The default shell to use if the provider does not return one during lookup. "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"This option supersedes any other shell options if it takes effect and can be "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"set either in the [nss] section or per-domain."
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"Default: not set (Return NULL if no shell is specified and rely on libc to "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"substitute something sensible when necessary, usually /bin/sh)"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallaghermsgid "get_domains_timeout (int)"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"Specifies time in seconds for which the list of subdomains will be "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"considered valid."
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallaghermsgid "memcache_timeout (int)"
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher"Specifies time in seconds for which records in the in-memory cache will be "
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallaghermsgid "Default: 300"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><title>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "PAM configuration options"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"These options can be used to configure the Pluggable Authentication Module "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"(PAM) service."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "offline_credentials_expiration (integer)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"If the authentication provider is offline, how long should we allow cached "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"logins (in days since the last successful online login)."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: 0 (No limit)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "offline_failed_login_attempts (integer)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"If the authentication provider is offline, how many failed login attempts "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "offline_failed_login_delay (integer)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"The time in minutes which has to pass after offline_failed_login_attempts "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"has been reached before a new login attempt is possible."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"If set to 0 the user cannot authenticate offline if "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"offline_failed_login_attempts has been reached. Only a successful online "
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher"authentication can enable offline authentication again."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#: sssd.conf.5.xml:658 sssd.conf.5.xml:711 sssd.conf.5.xml:1659
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: 5"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "pam_verbosity (integer)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Controls what kind of messages are shown to the user during authentication. "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"The higher the number to more messages are displayed."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Currently sssd supports the following values:"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "<emphasis>0</emphasis>: do not show any message"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "<emphasis>1</emphasis>: show only important messages"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "<emphasis>2</emphasis>: show informational messages"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "<emphasis>3</emphasis>: show all messages and debug information"
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: 1"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "pam_id_timeout (integer)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"For any PAM request while SSSD is online, the SSSD will attempt to "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"immediately update the cached identity information for the user in order to "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"ensure that authentication takes place with the latest information."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"A complete PAM conversation may perform multiple PAM requests, such as "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"account management and session opening. This option controls (on a per-"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"client-application basis) how long (in seconds) we can cache the identity "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"information to avoid excessive round-trips to the identity provider."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "pam_pwd_expiration_warning (integer)"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Display a warning N days before the password expires."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Please note that the backend server has to provide information about the "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"expiration time of the password. If this information is missing, sssd "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"cannot display a warning."
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"If zero is set, then this filter is not applied, i.e. if the expiration "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"warning was received from backend server, it will automatically be displayed."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"This setting can be overridden by setting <emphasis>pwd_expiration_warning</"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"emphasis> for a particular domain."
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallaghermsgid "Default: 0"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallaghermsgstr "Standaard: 0"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><title>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "SUDO configuration options"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "These options can be used to configure the sudo service."
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "sudo_timed (bool)"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes "
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"that implement time-dependent sudoers entries."
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><title>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "AUTOFS configuration options"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "These options can be used to configure the autofs service."
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "autofs_negative_timeout (integer)"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"Specifies for how many seconds should the autofs responder negative cache "
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"hits (that is, queries for invalid map entries, like nonexistent ones) "
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"before asking the back end again."
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><title>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallaghermsgid "SSH configuration options"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallaghermsgid "These options can be used to configure the SSH service."
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallaghermsgid "ssh_hash_known_hosts (bool)"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
45db68ae27147955a4be4c2c772041824c0dc00fStephen Gallagher"Whether or not to hash host names and addresses in the managed known_hosts "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozekmsgid "ssh_known_hosts_timeout (integer)"
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"How many seconds to keep a host in the managed known_hosts file after its "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"host keys were requested."
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozekmsgid "Default: 180"
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><title>
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallaghermsgid "PAC responder configuration options"
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><para>
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher"The PAC responder works together with the authorization data plugin for MIT "
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher"Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the "
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher"PAC data during a GSSAPI authentication to the PAC responder. The sub-domain "
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher"provider collects domain SID and ID ranges of the domain the client is "
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher"joined to and of remote trusted domains from the local domain controller. "
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher"If the PAC is decoded and evaluated some of the following operations are "
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher"If the remote user does not exist in the cache, it is created. The uid is "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"determined with the help of the SID, trusted domains will have UPGs and the "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"gid will have the same value as the uid. The home directory is set based on "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"the subdomain_homedir parameter. The shell will be empty by default, i.e. "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"the system defaults are used, but can be overwritten with the default_shell "
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"If there are SIDs of groups from domains sssd knows about, the user will be "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"added to those groups."
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><para>
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozekmsgid "These options can be used to configure the PAC responder."
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozekmsgid "allowed_uids (string)"
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"Specifies the comma-separated list of UID values or user names that are "
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"allowed to access the PAC responder. User names are resolved to UIDs at "
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozekmsgid "Default: 0 (only the root user is allowed to access the PAC responder)"
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"Please note that although the UID 0 is used as the default it will be "
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"overwritten with this option. If you still want to allow the root user to "
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"access the PAC responder, which would be the typical case, you have to add 0 "
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"to the list of allowed UIDs as well."
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><title>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "DOMAIN SECTIONS"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "min_id,max_id (integer)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"UID and GID limits for the domain. If a domain contains an entry that is "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"outside these limits, it is ignored."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"For users, this affects the primary GID limit. The user will not be returned "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"to NSS if either the UID or the primary GID is outside the range. For non-"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"primary group memberships, those that are in range will be reported as "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: 1 for min_id, 0 (no limit) for max_id"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "enumerate (bool)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"Determines if a domain can be enumerated. This parameter can have one of the "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"following values:"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "TRUE = Users and groups are enumerated"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "FALSE = No enumerations for this domain"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#: sssd.conf.5.xml:936 sssd.conf.5.xml:1110 sssd.conf.5.xml:1212
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: FALSE"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Note: Enabling enumeration has a moderate performance impact on SSSD while "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"enumeration is running. It may take up to several minutes after SSSD startup "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"to fully complete enumerations. During this time, individual requests for "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"information will go directly to LDAP, though it may be slow, due to the "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"heavy enumeration processing. Saving a large number of entries to cache "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"after the enumeration completes might also be CPU intensive as the "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"memberships have to be recomputed."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"While the first enumeration is running, requests for the complete user or "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"group lists may return no results until it completes."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Further, enabling enumeration may increase the time necessary to detect "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"network disconnection, as longer timeouts are required to ensure that "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"enumeration lookups are completed successfully. For more information, refer "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"to the man pages for the specific id_provider in use."
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"For the reasons cited above, enabling enumeration is not recommended, "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"especially in large environments."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "entry_cache_timeout (integer)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"How many seconds should nss_sss consider entries valid before asking the "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"backend again"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: 5400"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "entry_cache_user_timeout (integer)"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"How many seconds should nss_sss consider user entries valid before asking "
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"the backend again"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#: sssd.conf.5.xml:1009 sssd.conf.5.xml:1022 sssd.conf.5.xml:1035
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#: sssd.conf.5.xml:1048 sssd.conf.5.xml:1061 sssd.conf.5.xml:1075
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "Default: entry_cache_timeout"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "entry_cache_group_timeout (integer)"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"How many seconds should nss_sss consider group entries valid before asking "
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"the backend again"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "entry_cache_netgroup_timeout (integer)"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"How many seconds should nss_sss consider netgroup entries valid before "
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"asking the backend again"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "entry_cache_service_timeout (integer)"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"How many seconds should nss_sss consider service entries valid before asking "
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"the backend again"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozekmsgid "entry_cache_sudo_timeout (integer)"
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"How many seconds should sudo consider rules valid before asking the backend "
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozekmsgid "entry_cache_autofs_timeout (integer)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"How many seconds should the autofs service consider automounter maps valid "
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"before asking the backend again"
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozekmsgid "refresh_expired_interval (integer)"
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"Specifies how many seconds SSSD has to wait before refreshing expired "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"records. Currently only refreshing expired netgroups is supported."
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozekmsgid "You can consider setting this value to 3/4 * entry_cache_timeout."
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozekmsgid "Default: 0 (disabled)"
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozekmsgid "cache_credentials (bool)"
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Determines if user credentials are also cached in the local LDB cache"
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallaghermsgid "User credentials are stored in a SHA512 hash, not in plaintext"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "account_cache_expiration (integer)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Number of days entries are left in cache after last successful login before "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"being removed during a cleanup of the cache. 0 means keep forever. The "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"value of this parameter must be greater than or equal to "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"offline_credentials_expiration."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: 0 (unlimited)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallaghermsgid "pwd_expiration_warning (integer)"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"Please note that the backend server has to provide information about the "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"expiration time of the password. If this information is missing, sssd "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"cannot display a warning. Also an auth provider has to be configured for the "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallaghermsgid "Default: 7 (Kerberos), 0 (LDAP)"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "id_provider (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"The identification provider used for the domain. Supported ID providers are:"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozekmsgid "<quote>proxy</quote>: Support a legacy NSS provider"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "<quote>local</quote>: SSSD internal provider for local users"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"information on configuring LDAP."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#: sssd.conf.5.xml:1176 sssd.conf.5.xml:1255 sssd.conf.5.xml:1306
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<quote>ipa</quote>: FreeIPA and Red Hat Enterprise Identity Management "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"provider. See <citerefentry> <refentrytitle>sssd-ipa</refentrytitle> "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<manvolnum>5</manvolnum> </citerefentry> for more information on configuring "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#: sssd.conf.5.xml:1185 sssd.conf.5.xml:1264 sssd.conf.5.xml:1315
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<quote>ad</quote>: Active Directory provider. See <citerefentry> "
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"citerefentry> for more information on configuring Active Directory."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "use_fully_qualified_names (bool)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"Use the full name and domain (as formatted by the domain's full_name_format) "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"as the user's login name reported to NSS."
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"If set to TRUE, all requests to this domain must use fully qualified names. "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"For example, if used in LOCAL domain that contains a \"test\" user, "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<command>getent passwd test</command> wouldn't find the user while "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<command>getent passwd test@LOCAL</command> would."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozekmsgid "ignore_group_members (bool)"
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozekmsgid "Do not return group members for group lookups."
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"If set to TRUE, the group membership attribute is not requested from the "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"ldap server, and group members are not returned when processing group lookup "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "auth_provider (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"The authentication provider used for the domain. Supported auth providers "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"citerefentry> for more information on configuring LDAP."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"citerefentry> for more information on configuring Kerberos."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<quote>proxy</quote> for relaying authentication to some other PAM target."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "<quote>none</quote> disables authentication explicitly."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Default: <quote>id_provider</quote> is used if it is set and can handle "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"authentication requests."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "access_provider (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"The access control provider used for the domain. There are two built-in "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"access providers (in addition to any included in installed backends) "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Internal special providers are:"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"<quote>permit</quote> always allow access. It's the only permitted access "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"provider for a local domain."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "<quote>deny</quote> always deny access."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<quote>simple</quote> access control based on access or deny lists. See "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"manvolnum></citerefentry> for more information on configuring the simple "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"access module."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: <quote>permit</quote>"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "chpass_provider (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"The provider which should handle change password operations for the domain. "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"Supported change password providers are:"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<quote>ldap</quote> to change a password stored in a LDAP server. See "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"manvolnum> </citerefentry> for more information on configuring LDAP."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"citerefentry> for more information on configuring Kerberos."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<quote>proxy</quote> for relaying password changes to some other PAM target."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "<quote>none</quote> disallows password changes explicitly."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Default: <quote>auth_provider</quote> is used if it is set and can handle "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"change password requests."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "sudo_provider (string)"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "The SUDO provider used for the domain. Supported SUDO providers are:"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> "
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"citerefentry> for more information on configuring LDAP."
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "<quote>none</quote> disables SUDO explicitly."
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#: sssd.conf.5.xml:1407 sssd.conf.5.xml:1461 sssd.conf.5.xml:1493
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "Default: The value of <quote>id_provider</quote> is used if it is set."
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "selinux_provider (string)"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"The provider which should handle loading of selinux settings. Note that this "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"provider will be called right after access provider ends. Supported selinux "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"providers are:"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<quote>ipa</quote> to load selinux settings from an IPA server. See "
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"manvolnum> </citerefentry> for more information on configuring IPA."
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "<quote>none</quote> disallows fetching selinux settings explicitly."
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"Default: <quote>id_provider</quote> is used if it is set and can handle "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"selinux loading requests."
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallaghermsgid "subdomains_provider (string)"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"The provider which should handle fetching of subdomains. This value should "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"be always the same as id_provider. Supported subdomain providers are:"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"<quote>ipa</quote> to load a list of subdomains from an IPA server. See "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"manvolnum> </citerefentry> for more information on configuring IPA."
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallaghermsgid "<quote>none</quote> disallows fetching subdomains explicitly."
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallaghermsgid "autofs_provider (string)"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"The autofs provider used for the domain. Supported autofs providers are:"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"citerefentry> for more information on configuring LDAP."
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"citerefentry> for more information on configuring IPA."
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallaghermsgid "<quote>none</quote> disables autofs explicitly."
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallaghermsgid "hostid_provider (string)"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"The provider used for retrieving host identity information. Supported "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"hostid providers are:"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"<quote>ipa</quote> to load host identity stored in an IPA server. See "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"manvolnum> </citerefentry> for more information on configuring IPA."
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallaghermsgid "<quote>none</quote> disables hostid explicitly."
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher"Regular expression for this domain that describes how to parse the string "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"containing user name and domain into these components. The \"domain\" can "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"match either the SSSD configuration domain name, or, in the case of IPA "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"trust subdomains and Active Directory domains, the flat (NetBIOS) name of "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"the domain."
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"Default for the AD and IPA provider: <quote>(((?P<domain>[^\\\\]+)\\"
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?"
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"P<name>[^@\\\\]+)$))</quote> which allows three different styles for "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"user names:"
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozekmsgid "username"
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozekmsgid "username@domain.name"
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozekmsgid "domain\\username"
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"While the first two correspond to the general default the third one is "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"introduced to allow easy integration of users from Windows domains."
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher"Default: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> "
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher"which translates to \"the name is everything up to the <quote>@</quote> "
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher"sign, the domain everything after that\""
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher"Standaard: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> "
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher"wat zich vertaalt tot \"de gebruikersnaam is alles tot <quote>@</quote> , "
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher"het domein alles daarna\""
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher"PLEASE NOTE: the support for non-unique named subpatterns is not available "
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher"on all platforms (e.g. RHEL5 and SLES10). Only platforms with libpcre "
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher"version 7 or higher can support non-unique named subpatterns."
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher"PLEASE NOTE ALSO: older version of libpcre only support the Python syntax (?"
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher"P<name>) to label subpatterns."
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher"MER OOK OP: oudere versies van libpcre ondersteunen alleen de Pyton syntaxis "
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher"(?P<name>) om subpatronen aan te geven."
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallaghermsgid "Default: <quote>%1$s@%2$s</quote>."
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallaghermsgstr "Standaard: <quote>%1$s@%2$s</quote>."
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "lookup_family_order (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Provides the ability to select preferred address family to use when "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"performing DNS lookups."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Supported values:"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: ipv4_first"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "dns_resolver_timeout (integer)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Defines the amount of time (in seconds) to wait for a reply from the DNS "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"resolver before assuming that it is unreachable. If this timeout is reached, "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"the domain will continue to operate in offline mode."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "dns_discovery_domain (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"If service discovery is used in the back end, specifies the domain part of "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"the service discovery DNS query."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: Use the domain part of machine's hostname"
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallaghermsgid "override_gid (integer)"
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallaghermsgid "Override the primary GID value with the one specified."
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallaghermsgid "case_sensitive (boolean)"
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher"Treat user and group names as case sensitive. At the moment, this option is "
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher"not supported in the local provider."
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallaghermsgid "Default: True"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallaghermsgid "proxy_fast_alias (boolean)"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"When a user or group is looked up by name in the proxy provider, a second "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"lookup by ID is performed to \"canonicalize\" the name in case the requested "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"name was an alias. Setting this option to true would cause the SSSD to "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"perform the ID lookup from cache for performance reasons."
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallaghermsgid "subdomain_homedir (string)"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozekmsgid "flat (NetBIOS) name of a subdomain."
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"Use this homedir as default value for all subdomains within this domain. See "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"<emphasis>override_homedir</emphasis> for info about possible values. In "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"addition to those, the expansion below can only be used with "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"<emphasis>subdomain_homedir</emphasis>. <placeholder type=\"variablelist\" "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"The value can be overridden by <emphasis>override_homedir</emphasis> option."
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallaghermsgid "Default: <filename>/home/%d/%u</filename>"
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozekmsgid "realmd_tags (string)"
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"Various tags stored by the realmd configuration service for this domain."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"These configuration options can be present in a domain configuration "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"section, that is, in a section called <quote>[domain/<replaceable>NAME</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"replaceable>]</quote> <placeholder type=\"variablelist\" id=\"0\"/>"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "proxy_pam_target (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "The proxy target PAM proxies to."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Default: not set by default, you have to take an existing pam configuration "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"or create a new one and add the service name here."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "proxy_lib_name (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"The name of the NSS library to use in proxy domains. The NSS functions "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"searched for in the library are in the form of _nss_$(libName)_$(function), "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"for example _nss_files_getpwent."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"Options valid for proxy domains. <placeholder type=\"variablelist\" id="
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><title>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "The local domain section"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"This section contains settings for domain that stores users and groups in "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"SSSD native database, that is, a domain that uses "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<replaceable>id_provider=local</replaceable>."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "default_shell (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "The default shell for users created with SSSD userspace tools."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: <filename>/bin/bash</filename>"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "base_directory (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"The tools append the login name to <replaceable>base_directory</replaceable> "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"and use that as the home directory."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: <filename>/home</filename>"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "create_homedir (bool)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Indicate if a home directory should be created by default for new users. "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Can be overridden on command line."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: TRUE"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "remove_homedir (bool)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"Indicate if a home directory should be removed by default for deleted "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"users. Can be overridden on command line."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "homedir_umask (integer)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"on a newly created home directory."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: 077"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "skel_dir (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"The skeleton directory, which contains files and directories to be copied in "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"the user's home directory, when the home directory is created by "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<citerefentry> <refentrytitle>sss_useradd</refentrytitle> <manvolnum>8</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"manvolnum> </citerefentry>"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: <filename>/etc/skel</filename>"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "mail_dir (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"The mail spool directory. This is needed to manipulate the mailbox when its "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"corresponding user account is modified or deleted. If not specified, a "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"default value is used."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: <filename>/var/mail</filename>"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "userdel_cmd (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"The command that is run after a user is removed. The command us passed the "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"username of the user being removed as the first and only parameter. The "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"return code of the command is not taken into account."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: None, no command is run"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><title>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#: sssd.conf.5.xml:1914 sssd-ldap.5.xml:2378 sssd-simple.5.xml:131
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#: sssd-ipa.5.xml:740 sssd-ad.5.xml:288 sssd-krb5.5.xml:506
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "EXAMPLE"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><programlisting>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"domains = LDAP\n"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"services = nss, pam\n"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"config_file_version = 2\n"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"filter_groups = root\n"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"filter_users = root\n"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"id_provider = ldap\n"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"ldap_uri = ldap://ldap.example.com\n"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"ldap_search_base = dc=example,dc=com\n"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"auth_provider = krb5\n"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"krb5_realm = EXAMPLE.COM\n"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"cache_credentials = true\n"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"min_id = 10000\n"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"max_id = 20000\n"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"enumerate = False\n"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"The following example shows a typical SSSD config. It does not describe "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"configuration of the domains themselves - refer to documentation on "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"configuring domains for more details. <placeholder type=\"programlisting\" "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refnamediv><refname>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "sssd-ldap"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"This manual page describes the configuration of LDAP domains for "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"</citerefentry>. Refer to the <quote>FILE FORMAT</quote> section of the "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"manvolnum> </citerefentry> manual page for detailed syntax information."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "You can configure SSSD to use more than one LDAP domain."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"LDAP back end supports id, auth, access and chpass providers. If you want to "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"authenticate against an LDAP server either TLS/SSL or LDAPS is required. "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<command>sssd</command> <emphasis>does not</emphasis> support authentication "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"over an unencrypted channel. If the LDAP server is used only as an identity "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"provider, an encrypted channel is not needed. Please refer to "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<quote>ldap_access_filter</quote> config option for more information about "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"using LDAP as an access provider."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><title>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:70 sssd-ad.5.xml:78
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "CONFIGURATION OPTIONS"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "ldap_uri, ldap_backup_uri (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher"should connect in the order of preference. Refer to the <quote>FAILOVER</"
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher"quote> section for more information on failover and server redundancy. If "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"neither option is specified, service discovery is enabled. For more "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallaghermsgid "The format of the URI must match the format defined in RFC 2732:"
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallaghermsgid "ldap[s]://<host>[:port]"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher"For explicit IPv6 addresses, <host> must be enclosed in brackets []"
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallaghermsgid "example: ldap://[fc00::126:25]:389"
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "ldap_chpass_uri, ldap_chpass_backup_uri (string)"
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher"should connect in the order of preference to change the password of a user. "
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher"Refer to the <quote>FAILOVER</quote> section for more information on "
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher"failover and server redundancy."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "To enable service discovery ldap_chpass_dns_service_name must be set."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: empty, i.e. ldap_uri is used."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_search_base (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "The default base DN to use for performing LDAP user operations."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3a8abe04137d028b8ebd1cb33152aefa55893efbStephen Gallagher"Starting with SSSD 1.7.0, SSSD supports multiple search bases using the "
3a8abe04137d028b8ebd1cb33152aefa55893efbStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3a8abe04137d028b8ebd1cb33152aefa55893efbStephen Gallaghermsgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]"
3a8abe04137d028b8ebd1cb33152aefa55893efbStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3a8abe04137d028b8ebd1cb33152aefa55893efbStephen Gallaghermsgid "The scope can be one of \"base\", \"onelevel\" or \"subtree\"."
3a8abe04137d028b8ebd1cb33152aefa55893efbStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3a8abe04137d028b8ebd1cb33152aefa55893efbStephen Gallagher"The filter must be a valid LDAP search filter as specified by http://www."
3a8abe04137d028b8ebd1cb33152aefa55893efbStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3a8abe04137d028b8ebd1cb33152aefa55893efbStephen Gallaghermsgid "Examples:"
3a8abe04137d028b8ebd1cb33152aefa55893efbStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3a8abe04137d028b8ebd1cb33152aefa55893efbStephen Gallagher"ldap_search_base = dc=example,dc=com (which is equivalent to) "
3a8abe04137d028b8ebd1cb33152aefa55893efbStephen Gallagher"ldap_search_base = dc=example,dc=com?subtree?"
3a8abe04137d028b8ebd1cb33152aefa55893efbStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3a8abe04137d028b8ebd1cb33152aefa55893efbStephen Gallagher"ldap_search_base = cn=host_specific,dc=example,dc=com?subtree?"
3a8abe04137d028b8ebd1cb33152aefa55893efbStephen Gallagher"(host=thishost)?dc=example.com?subtree?"
3a8abe04137d028b8ebd1cb33152aefa55893efbStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3a8abe04137d028b8ebd1cb33152aefa55893efbStephen Gallagher"Note: It is unsupported to have multiple search bases which reference "
3a8abe04137d028b8ebd1cb33152aefa55893efbStephen Gallagher"identically-named objects (for example, groups with the same name in two "
3a8abe04137d028b8ebd1cb33152aefa55893efbStephen Gallagher"different search bases). This will lead to unpredictable behavior on client "
3a8abe04137d028b8ebd1cb33152aefa55893efbStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3a8abe04137d028b8ebd1cb33152aefa55893efbStephen Gallagher"Default: If not set, the value of the defaultNamingContext or namingContexts "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"attribute from the RootDSE of the LDAP server is used. If "
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"defaultNamingContext does not exist or has an empty value namingContexts is "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"used. The namingContexts attribute must have a single value with the DN of "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"the search base of the LDAP server to make this work. Multiple values are "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"are not supported."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_schema (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Specifies the Schema Type in use on the target LDAP server. Depending on "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"the selected schema, the default attribute names retrieved from the servers "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"may vary. The way that some attributes are handled may also differ."
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozekmsgid "Four schema types are currently supported:"
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozekmsgid "rfc2307"
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozekmsgid "rfc2307bis"
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"The main difference between these schema types is how group memberships are "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"recorded in the server. With rfc2307, group members are listed by name in "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"the <emphasis>memberUid</emphasis> attribute. With rfc2307bis and IPA, "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"group members are listed by DN and stored in the <emphasis>member</emphasis> "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"attribute. The AD schema type sets the attributes to correspond with Active "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"Directory 2008r2 values."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: rfc2307"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_default_bind_dn (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "The default bind DN to use for performing LDAP operations."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_default_authtok_type (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "The type of the authentication token of the default bind DN."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "The two mechanisms currently supported are:"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "password"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "obfuscated_password"
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallaghermsgid "Default: password"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_default_authtok (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"The authentication token of the default bind DN. Only clear text passwords "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"are currently supported."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_user_object_class (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "The object class of a user entry in LDAP."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: posixAccount"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_user_name (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "The LDAP attribute that corresponds to the user's login name."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: uid"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_user_uid_number (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "The LDAP attribute that corresponds to the user's id."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: uidNumber"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_user_gid_number (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "The LDAP attribute that corresponds to the user's primary group id."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: gidNumber"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_user_gecos (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "The LDAP attribute that corresponds to the user's gecos field."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: gecos"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_user_home_directory (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallaghermsgid "The LDAP attribute that contains the name of the user's home directory."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: homeDirectory"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_user_shell (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "The LDAP attribute that contains the path to the user's default shell."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: loginShell"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_user_uuid (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#: sssd-ldap.5.xml:348 sssd-ldap.5.xml:818 sssd-ldap.5.xml:1004
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: nsUniqueId"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallaghermsgid "ldap_user_objectsid (string)"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"The LDAP attribute that contains the objectSID of an LDAP user object. This "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"is usually only necessary for ActiveDirectory servers."
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallaghermsgid "Default: objectSid for ActiveDirectory, not set for other servers."
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_user_modify_timestamp (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#: sssd-ldap.5.xml:372 sssd-ldap.5.xml:842 sssd-ldap.5.xml:1013
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"The LDAP attribute that contains timestamp of the last modification of the "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"parent object."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#: sssd-ldap.5.xml:376 sssd-ldap.5.xml:846 sssd-ldap.5.xml:1020
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: modifyTimestamp"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_user_shadow_last_change (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"the last password change)."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: shadowLastChange"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_user_shadow_min (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"password age)."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: shadowMin"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_user_shadow_max (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"password age)."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: shadowMax"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_user_shadow_warning (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"(password warning period)."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: shadowWarning"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_user_shadow_inactive (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"(password inactivity period)."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: shadowInactive"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_user_shadow_expire (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"parameter contains the name of an LDAP attribute corresponding to its "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"manvolnum> </citerefentry> counterpart (account expiration date)."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: shadowExpire"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_user_krb_last_pwd_change (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"an LDAP attribute storing the date and time of last password change in "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: krbLastPwdChange"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_user_krb_password_expiration (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"an LDAP attribute storing the date and time when current password expires."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: krbPasswordExpiration"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_user_ad_account_expires (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"When using ldap_account_expire_policy=ad, this parameter contains the name "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"of an LDAP attribute storing the expiration time of the account."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: accountExpires"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_user_ad_user_account_control (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"When using ldap_account_expire_policy=ad, this parameter contains the name "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"of an LDAP attribute storing the user account control bit field."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: userAccountControl"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_ns_account_lock (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"When using ldap_account_expire_policy=rhds or equivalent, this parameter "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"determines if access is allowed or not."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: nsAccountLock"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallaghermsgid "ldap_user_nds_login_disabled (string)"
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher"When using ldap_account_expire_policy=nds, this attribute determines if "
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher"access is allowed or not."
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallaghermsgid "Default: loginDisabled"
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallaghermsgid "ldap_user_nds_login_expiration_time (string)"
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher"When using ldap_account_expire_policy=nds, this attribute determines until "
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher"which date access is granted."
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallaghermsgid "ldap_user_nds_login_allowed_time_map (string)"
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher"When using ldap_account_expire_policy=nds, this attribute determines the "
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher"hours of a day in a week when access is granted."
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallaghermsgid "Default: loginAllowedTimeMap"
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_user_principal (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"The LDAP attribute that contains the user's Kerberos User Principal Name "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: krbPrincipalName"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "ldap_user_ssh_public_key (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "The LDAP attribute that contains the user's SSH public keys."
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "ldap_force_upper_case_realm (boolean)"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Some directory servers, for example Active Directory, might deliver the "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"realm part of the UPN in lower case, which might cause the authentication to "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"fail. Set this option to a non-zero value if you want to use an upper-case "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_enumeration_refresh_timeout (integer)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
292cbb3fbe41bb7ee09b67c3ec59ab7c7ba5220eStephen Gallagher"Specifies how many seconds SSSD has to wait before refreshing its cache of "
292cbb3fbe41bb7ee09b67c3ec59ab7c7ba5220eStephen Gallagher"enumerated records."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
292cbb3fbe41bb7ee09b67c3ec59ab7c7ba5220eStephen Gallaghermsgid "ldap_purge_cache_timeout (integer)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Determine how often to check the cache for inactive entries (such as groups "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"with no members and users who have never logged in) and remove them to save "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Setting this option to zero will disable the cache cleanup operation."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: 10800 (12 hours)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_user_fullname (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "The LDAP attribute that corresponds to the user's full name."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#: sssd-ldap.5.xml:686 sssd-ldap.5.xml:779 sssd-ldap.5.xml:954
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#: sssd-ldap.5.xml:1045 sssd-ldap.5.xml:1942 sssd-ldap.5.xml:2268
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: cn"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_user_member_of (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "The LDAP attribute that lists the user's group memberships."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: memberOf"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_user_authorized_service (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"use the presence of the authorizedService attribute in the user's LDAP entry "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"to determine access privilege."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"An explicit deny (!svc) is resolved first. Second, SSSD searches for "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"explicit allow (svc) and finally for allow_all (*)."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"Please note that the ldap_access_order configuration option <emphasis>must</"
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"emphasis> include <quote>authorized_service</quote> in order for the "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"ldap_user_authorized_service option to work."
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: authorizedService"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
333b7970cc60c6277363c80564456a716c2d6634Stephen Gallaghermsgid "ldap_user_authorized_host (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
333b7970cc60c6277363c80564456a716c2d6634Stephen Gallagher"If access_provider=ldap and ldap_access_order=host, SSSD will use the "
333b7970cc60c6277363c80564456a716c2d6634Stephen Gallagher"presence of the host attribute in the user's LDAP entry to determine access "
333b7970cc60c6277363c80564456a716c2d6634Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
333b7970cc60c6277363c80564456a716c2d6634Stephen Gallagher"An explicit deny (!host) is resolved first. Second, SSSD searches for "
333b7970cc60c6277363c80564456a716c2d6634Stephen Gallagher"explicit allow (host) and finally for allow_all (*)."
333b7970cc60c6277363c80564456a716c2d6634Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"Please note that the ldap_access_order configuration option <emphasis>must</"
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"emphasis> include <quote>host</quote> in order for the "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"ldap_user_authorized_host option to work."
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
333b7970cc60c6277363c80564456a716c2d6634Stephen Gallaghermsgid "Default: host"
333b7970cc60c6277363c80564456a716c2d6634Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
333b7970cc60c6277363c80564456a716c2d6634Stephen Gallaghermsgid "ldap_group_object_class (string)"
333b7970cc60c6277363c80564456a716c2d6634Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "The object class of a group entry in LDAP."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: posixGroup"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_group_name (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "The LDAP attribute that corresponds to the group name."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_group_gid_number (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "The LDAP attribute that corresponds to the group's id."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_group_member (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "The LDAP attribute that contains the names of the group's members."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: memberuid (rfc2307) / member (rfc2307bis)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_group_uuid (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallaghermsgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallaghermsgid "ldap_group_objectsid (string)"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"The LDAP attribute that contains the objectSID of an LDAP group object. This "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"is usually only necessary for ActiveDirectory servers."
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_group_modify_timestamp (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_group_nesting_level (integer)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"If ldap_schema is set to a schema format that supports nested groups (e.g. "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"RFC2307bis), then this option controls how many levels of nesting SSSD will "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"follow. This option has no effect on the RFC2307 schema."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: 2"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallaghermsgid "ldap_groups_use_matching_rule_in_chain"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher"This option tells SSSD to take advantage of an Active Directory-specific "
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher"feature which may speed up group lookup operations on deployments with "
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher"complex or deep nested groups."
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher"In most common cases, it is best to leave this option disabled. It generally "
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher"only provides a performance increase on very complex nestings."
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher"If this option is enabled, SSSD will use it if it detects that the server "
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher"supports it during initial connection. So \"True\" here essentially means "
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher"\"auto-detect\"."
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher"Note: This feature is currently known to work only with Active Directory "
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher"2008 R1 and later. See <ulink url=\"http://msdn.microsoft.com/en-us/library/"
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher"windows/desktop/aa746475%28v=vs.85%29.aspx\"> MSDN(TM) documentation</ulink> "
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher"for more details."
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#: sssd-ldap.5.xml:894 sssd-ldap.5.xml:921 sssd-ldap.5.xml:1212
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#: sssd-ldap.5.xml:1233 sssd-ldap.5.xml:1713 include/ldap_id_mapping.xml:184
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallaghermsgid "Default: False"
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallaghermsgid "ldap_initgroups_use_matching_rule_in_chain"
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher"This option tells SSSD to take advantage of an Active Directory-specific "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"feature which might speed up initgroups operations (most notably when "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"dealing with complex or deep nested groups)."
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallaghermsgid "ldap_netgroup_object_class (string)"
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "The object class of a netgroup entry in LDAP."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallaghermsgid "In IPA provider, ipa_netgroup_object_class should be used instead."
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: nisNetgroup"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_netgroup_name (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "The LDAP attribute that corresponds to the netgroup name."
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallaghermsgid "In IPA provider, ipa_netgroup_name should be used instead."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_netgroup_member (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "The LDAP attribute that contains the names of the netgroup's members."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallaghermsgid "In IPA provider, ipa_netgroup_member should be used instead."
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: memberNisNetgroup"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_netgroup_triple (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"The LDAP attribute that contains the (host, user, domain) netgroup triples."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallaghermsgid "This option is not available in IPA provider."
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: nisNetgroupTriple"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_netgroup_uuid (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"The LDAP attribute that contains the UUID/GUID of an LDAP netgroup object."
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallaghermsgid "In IPA provider, ipa_netgroup_uuid should be used instead."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_netgroup_modify_timestamp (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "ldap_service_object_class (string)"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "The object class of a service entry in LDAP."
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "Default: ipService"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "ldap_service_name (string)"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"The LDAP attribute that contains the name of service attributes and their "
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "ldap_service_port (string)"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "The LDAP attribute that contains the port managed by this service."
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "Default: ipServicePort"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "ldap_service_proto (string)"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"The LDAP attribute that contains the protocols understood by this service."
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "Default: ipServiceProtocol"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "ldap_service_search_base (string)"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_search_timeout (integer)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Specifies the timeout (in seconds) that ldap searches are allowed to run "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"before they are cancelled and cached results are returned (and offline mode "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Note: this option is subject to change in future versions of the SSSD. It "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"will likely be replaced at some point by a series of timeouts for specific "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"lookup types."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#: sssd-ldap.5.xml:1097 sssd-ldap.5.xml:1139 sssd-ldap.5.xml:1154
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: 6"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_enumeration_search_timeout (integer)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Specifies the timeout (in seconds) that ldap searches for user and group "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"enumerations are allowed to run before they are cancelled and cached results "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"are returned (and offline mode is entered)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_network_timeout (integer)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Specifies the timeout (in seconds) after which the <citerefentry> "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"manvolnum> </citerefentry> following a <citerefentry> "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"citerefentry> returns in case of no activity."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_opt_timeout (integer)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"will abort if no response is received. Also controls the timeout when "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"communicating with the KDC in case of SASL bind."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallaghermsgid "ldap_connection_expire_timeout (integer)"
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher"Specifies a timeout (in seconds) that a connection to an LDAP server will be "
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher"maintained. After this time, the connection will be re-established. If used "
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher"in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. "
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher"the TGT lifetime) will be used."
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallaghermsgid "Default: 900 (15 minutes)"
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
333b7970cc60c6277363c80564456a716c2d6634Stephen Gallaghermsgid "ldap_page_size (integer)"
333b7970cc60c6277363c80564456a716c2d6634Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
333b7970cc60c6277363c80564456a716c2d6634Stephen Gallagher"Specify the number of records to retrieve from LDAP in a single request. "
333b7970cc60c6277363c80564456a716c2d6634Stephen Gallagher"Some LDAP servers enforce a maximum limit per-request."
333b7970cc60c6277363c80564456a716c2d6634Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
333b7970cc60c6277363c80564456a716c2d6634Stephen Gallaghermsgid "Default: 1000"
333b7970cc60c6277363c80564456a716c2d6634Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallaghermsgid "ldap_disable_paging (boolean)"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"Disable the LDAP paging control. This option should be used if the LDAP "
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"server reports that it supports the LDAP paging control in its RootDSE but "
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"it is not enabled or does not behave properly."
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"Example: OpenLDAP servers with the paging control module installed on the "
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"server but not enabled will report it in the RootDSE but be unable to use it."
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"Example: 389 DS has a bug where it can only support a one paging control at "
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"a time on a single connection. On busy clients, this can result in some "
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"requests being denied."
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozekmsgid "ldap_disable_range_retrieval (boolean)"
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozekmsgid "Disable Active Directory range retrieval."
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"Active Directory limits the number of members to be retrieved in a single "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"lookup using the MaxValRange policy (which defaults to 1500 members). If a "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"group contains more members, the reply would include an AD-specific range "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"extension. This option disables parsing of the range extension, therefore "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"large groups will appear as having no members."
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallaghermsgid "ldap_sasl_minssf (integer)"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"When communicating with an LDAP server using SASL, specify the minimum "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"security level necessary to establish the connection. The values of this "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"option are defined by OpenLDAP."
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallaghermsgid "Default: Use the system default (usually specified by ldap.conf)"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallaghermsgid "ldap_deref_threshold (integer)"
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher"Specify the number of group members that must be missing from the internal "
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher"cache in order to trigger a dereference lookup. If less members are missing, "
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher"they are looked up individually."
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher"You can turn off dereference lookups completely by setting the value to 0."
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher"A dereference lookup is a means of fetching all group members in a single "
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher"LDAP call. Different LDAP servers may implement different dereference "
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher"methods. The currently supported servers are 389/RHDS, OpenLDAP and Active "
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher"<emphasis>Note:</emphasis> If any of the search bases specifies a search "
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher"filter, then the dereference lookup performance enhancement will be disabled "
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher"regardless of this setting."
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_tls_reqcert (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"Specifies what checks to perform on server certificates in a TLS session, if "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"any. It can be specified as one of the following values:"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<emphasis>never</emphasis> = The client will not request or check any server "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<emphasis>allow</emphasis> = The server certificate is requested. If no "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"certificate is provided, the session proceeds normally. If a bad certificate "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"is provided, it will be ignored and the session proceeds normally."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<emphasis>try</emphasis> = The server certificate is requested. If no "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"certificate is provided, the session proceeds normally. If a bad certificate "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"is provided, the session is immediately terminated."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<emphasis>demand</emphasis> = The server certificate is requested. If no "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"certificate is provided, or a bad certificate is provided, the session is "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"immediately terminated."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: hard"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_tls_cacert (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Specifies the file that contains certificates for all of the Certificate "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Authorities that <command>sssd</command> will recognize."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#: sssd-ldap.5.xml:1339 sssd-ldap.5.xml:1357 sssd-ldap.5.xml:1398
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"conf</filename>"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_tls_cacertdir (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Specifies the path of a directory that contains Certificate Authority "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"certificates in separate individual files. Typically the file names need to "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"be the hash of the certificate followed by '.0'. If available, "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<command>cacertdir_rehash</command> can be used to create the correct names."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_tls_cert (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Specifies the file that contains the certificate for the client's key."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_tls_key (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Specifies the file that contains the client's key."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_tls_cipher_suite (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Specifies acceptable cipher suites. Typically this is a colon sperated "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<manvolnum>5</manvolnum></citerefentry> for format."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_id_use_start_tls (boolean)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"Specifies that the id_provider connection must also use <systemitem class="
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"\"protocol\">tls</systemitem> to protect the channel."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallaghermsgid "ldap_id_mapping (boolean)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"Specifies that SSSD should attempt to map user and group IDs from the "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"ldap_user_objectsid and ldap_group_objectsid attributes instead of relying "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"on ldap_user_uid_number and ldap_group_gid_number."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallaghermsgid "Currently this feature supports only ActiveDirectory objectSID mapping."
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallaghermsgid "ldap_sasl_mech (string)"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"Specify the SASL mechanism to use. Currently only GSSAPI is tested and "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_sasl_authid (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Specify the SASL authorization id to use. When GSSAPI is used, this "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"represents the Kerberos principal used for authentication to the directory. "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"This option can either contain the full principal (for example host/"
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"myhost@EXAMPLE.COM) or just the principal name (for example host/myhost)."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozekmsgid "Default: host/hostname@REALM"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozekmsgid "ldap_sasl_realm (string)"
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"Specify the SASL realm to use. When not specified, this option defaults to "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"the value of krb5_realm. If the ldap_sasl_authid contains the realm as "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"well, this option is ignored."
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozekmsgid "Default: the value of krb5_realm."
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallaghermsgid "ldap_sasl_canonicalize (boolean)"
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher"If set to true, the LDAP library would perform a reverse lookup to "
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher"canonicalize the host name during a SASL bind."
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallaghermsgid "Default: false;"
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_krb5_keytab (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Specify the keytab to use when using SASL/GSSAPI."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_krb5_init_creds (boolean)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"Specifies that the id_provider should init Kerberos credentials (TGT). This "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"action is performed only if SASL is used and the mechanism selected is "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_krb5_ticket_lifetime (integer)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: 86400 (24 hours)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "krb5_server, krb5_backup_server (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher"Specifies the comma-separated list of IP addresses or hostnames of the "
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher"Kerberos servers to which SSSD should connect in the order of preference. "
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher"For more information on failover and server redundancy, see the "
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher"colon) may be appended to the addresses or hostnames. If empty, service "
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher"discovery is enabled - for more information, refer to the <quote>SERVICE "
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher"DISCOVERY</quote> section."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"When using service discovery for KDC or kpasswd servers, SSSD first searches "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"for DNS entries that specify _udp as the protocol and falls back to _tcp if "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"none are found."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"While the legacy name is recognized for the time being, users are advised to "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"migrate their config files to use <quote>krb5_server</quote> instead."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#: sssd-ldap.5.xml:1565 sssd-ipa.5.xml:371 sssd-krb5.5.xml:103
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "krb5_realm (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#: sssd-ldap.5.xml:1577 sssd-ipa.5.xml:386 sssd-krb5.5.xml:440
3a8abe04137d028b8ebd1cb33152aefa55893efbStephen Gallaghermsgid "krb5_canonicalize (boolean)"
3a8abe04137d028b8ebd1cb33152aefa55893efbStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher"Specifies if the host principal should be canonicalized when connecting to "
3a8abe04137d028b8ebd1cb33152aefa55893efbStephen Gallagher"LDAP server. This feature is available with MIT Kerberos >= 1.7"
3a8abe04137d028b8ebd1cb33152aefa55893efbStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozekmsgid "krb5_use_kdcinfo (boolean)"
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
0172959f117b545c8a6b1893f5f56818d82dd624Jakub Hrozek"Specifies if the SSSD should instruct the Kerberos libraries what realm and "
0172959f117b545c8a6b1893f5f56818d82dd624Jakub Hrozek"which KDCs to use. This option is on by default, if you disable it, you need "
0172959f117b545c8a6b1893f5f56818d82dd624Jakub Hrozek"to configure the Kerberos library using the <citerefentry> "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </"
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"citerefentry> configuration file."
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</"
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"information on the locator plugin."
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_pwd_policy (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Select the policy to evaluate the password expiration on the client side. "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"The following values are allowed:"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<emphasis>none</emphasis> - No evaluation on the client side. This option "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"cannot disable server-side password policies."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"evaluate if the password has expired."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"to determine if the password has expired. Use chpass_provider=krb5 to update "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"these attributes when the password is changed."
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozekmsgid "Default: none"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_referrals (boolean)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Specifies whether automatic referral chasing should be enabled."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Please note that sssd only supports referral chasing when it is compiled "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"with OpenLDAP version 2.4.13 or higher."
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"Chasing referrals may incur a performance penalty in environments that use "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"them heavily, a notable example is Microsoft Active Directory. If your setup "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"does not in fact require the use of referrals, setting this option to false "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"might bring a noticeable performance improvement."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_dns_service_name (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Specifies the service name to use when service discovery is enabled."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: ldap"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_chpass_dns_service_name (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Specifies the service name to use to find an LDAP server which allows "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"password changes when service discovery is enabled."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: not set, i.e. service discovery is disabled"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozekmsgid "ldap_chpass_update_last_change (bool)"
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"Specifies whether to update the ldap_user_shadow_last_change attribute with "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"days since the Epoch after a password change operation."
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_access_filter (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"If using access_provider = ldap and ldap_access_order = filter (default), "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"this option is mandatory. It specifies an LDAP search filter criteria that "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"must be met for the user to be granted access on this host. If "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"access_provider = ldap, ldap_access_order = filter and this option is not "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"set, it will result in all users being denied access. Use access_provider = "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"permit to change this default behavior."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Example:"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"access_provider = ldap\n"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com\n"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"This example means that access to this host is restricted to members of the "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"\"allowedusers\" group in ldap."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Offline caching for this feature is limited to determining whether the "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"user's last online login was granted access permission. If they were granted "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"access during their last login, they will continue to be granted access "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"while offline and vice-versa."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: Empty"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_account_expire_policy (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"With this option a client side evaluation of access control attributes can "
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"Please note that it is always recommended to use server side access control, "
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"i.e. the LDAP server should deny the bind request with a suitable error code "
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"even if the password is correct."
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "The following values are allowed:"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"determine if the account is expired."
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"<emphasis>ad</emphasis>: use the value of the 32bit field "
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"ldap_user_ad_user_account_control and allow access if the second bit is not "
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"set. If the attribute is missing access is granted. Also the expiration time "
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"of the account is checked."
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"emphasis>: use the value of ldap_ns_account_lock to check if access is "
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"allowed or not."
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"<emphasis>nds</emphasis>: the values of "
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and "
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"ldap_user_nds_login_expiration_time are used to check if access is allowed. "
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"If both attributes are missing access is granted."
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"Please note that the ldap_access_order configuration option <emphasis>must</"
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"emphasis> include <quote>expire</quote> in order for the "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"ldap_account_expire_policy option to work."
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "ldap_access_order (string)"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "Comma separated list of access control options. Allowed values are:"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "<emphasis>filter</emphasis>: use ldap_access_filter"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"to determine access"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "<emphasis>host</emphasis>: use the host attribute to determine access"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "Default: filter"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"Please note that it is a configuration error if a value is used more than "
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "ldap_deref (string)"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"Specifies how alias dereferencing is done when performing a search. The "
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"following options are allowed:"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"the base object, but not in locating the base object of the search."
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"the base object of the search."
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"in locating the base object of the search."
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"client libraries)"
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozekmsgid "ldap_rfc2307_fallback_to_local_users (boolean)"
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"Allows to retain local users as members of an LDAP group for servers that "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"use the RFC2307 schema."
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"In some environments where the RFC2307 schema is used, local users are made "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"members of LDAP groups by adding their names to the memberUid attribute. "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"The self-consistency of the domain is compromised when this is done, so SSSD "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"would normally remove the \"missing\" users from the cached group "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"memberships as soon as nsswitch tries to fetch information about the user "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"via getpw*() or initgroups() calls."
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"This option falls back to checking if local users are referenced, and caches "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"them so that later initgroups() calls will augment the local users with the "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"additional LDAP groups."
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"All of the common configuration options that apply to SSSD domains also "
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section "
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"manvolnum> </citerefentry> manual page for full details. <placeholder type="
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"\"variablelist\" id=\"0\"/>"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><title>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "SUDO OPTIONS"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "ldap_sudorule_object_class (string)"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "The object class of a sudo rule entry in LDAP."
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "Default: sudoRole"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "ldap_sudorule_name (string)"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "The LDAP attribute that corresponds to the sudo rule name."
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "ldap_sudorule_command (string)"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "The LDAP attribute that corresponds to the command name."
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "Default: sudoCommand"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "ldap_sudorule_host (string)"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"The LDAP attribute that corresponds to the host name (or host IP address, "
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"host IP network, or host netgroup)"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "Default: sudoHost"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "ldap_sudorule_user (string)"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"The LDAP attribute that corresponds to the user name (or UID, group name or "
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"user's netgroup)"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "Default: sudoUser"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "ldap_sudorule_option (string)"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "The LDAP attribute that corresponds to the sudo options."
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "Default: sudoOption"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "ldap_sudorule_runasuser (string)"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"The LDAP attribute that corresponds to the user name that commands may be "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "Default: sudoRunAsUser"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "ldap_sudorule_runasgroup (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"The LDAP attribute that corresponds to the group name or group GID that "
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"commands may be run as."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "Default: sudoRunAsGroup"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "ldap_sudorule_notbefore (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"The LDAP attribute that corresponds to the start date/time for when the sudo "
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"rule is valid."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "Default: sudoNotBefore"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "ldap_sudorule_notafter (string)"
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"The LDAP attribute that corresponds to the expiration date/time, after which "
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"the sudo rule will no longer be valid."
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "Default: sudoNotAfter"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "ldap_sudorule_order (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "The LDAP attribute that corresponds to the ordering index of the rule."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "Default: sudoOrder"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozekmsgid "ldap_sudo_full_refresh_interval (integer)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"How many seconds SSSD will wait between executing a full refresh of sudo "
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"rules (which downloads all rules that are stored on the server)."
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </"
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozekmsgid "Default: 21600 (6 hours)"
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozekmsgid "ldap_sudo_smart_refresh_interval (integer)"
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"How many seconds SSSD has to wait before executing a smart refresh of sudo "
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"rules (which downloads all rules that have USN higher than the highest USN "
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"of cached rules)."
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"If USN attributes are not supported by the server, the modifyTimestamp "
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"attribute is used instead."
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozekmsgid "ldap_sudo_use_host_filter (boolean)"
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"If true, SSSD will download only rules that are applicable to this machine "
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"(using the IPv4 or IPv6 host/network addresses and hostnames)."
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozekmsgid "ldap_sudo_hostnames (string)"
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"Space separated list of hostnames or fully qualified domain names that "
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"should be used to filter the rules."
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"If this option is empty, SSSD will try to discover the hostname and the "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"fully qualified domain name automatically."
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#: sssd-ldap.5.xml:2132 sssd-ldap.5.xml:2155 sssd-ldap.5.xml:2173
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</"
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"emphasis> then this option has no effect."
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozekmsgid "Default: not specified"
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozekmsgid "ldap_sudo_ip (string)"
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"Space separated list of IPv4 or IPv6 host/network addresses that should be "
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"used to filter the rules."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"If this option is empty, SSSD will try to discover the addresses "
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"automatically."
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozekmsgid "ldap_sudo_include_netgroups (boolean)"
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"If true then SSSD will download every rule that contains a netgroup in "
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"sudoHost attribute."
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozekmsgid "ldap_sudo_include_regexp (boolean)"
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"If true then SSSD will download every rule that contains a wildcard in "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"sudoHost attribute."
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "<placeholder type=\"variablelist\" id=\"0\"/>"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"This manual page only describes attribute name mapping. For detailed "
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"explanation of sudo related attribute semantics, see <citerefentry> "
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"citerefentry>"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><title>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "AUTOFS OPTIONS"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"Please note that the default values correspond to the default schema which "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "ldap_autofs_map_object_class (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "The object class of an automount map entry in LDAP."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "Default: automountMap"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "ldap_autofs_map_name (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "The name of an automount map entry in LDAP."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "Default: ou"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "ldap_autofs_entry_object_class (string)"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "ldap_autofs_entry_key (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"The key of an automount entry in LDAP. The entry usually corresponds to a "
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "ldap_autofs_entry_value (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "Default: automountInformation"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"<placeholder type=\"variablelist\" id=\"0\"/> <placeholder type="
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"\"variablelist\" id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/> "
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"<placeholder type=\"variablelist\" id=\"3\"/> <placeholder type="
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"\"variablelist\" id=\"4\"/>"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><title>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ADVANCED OPTIONS"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_netgroup_search_base (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_user_search_base (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ldap_group_search_base (string)"
333b7970cc60c6277363c80564456a716c2d6634Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
333b7970cc60c6277363c80564456a716c2d6634Stephen Gallaghermsgid "ldap_user_search_filter (string)"
333b7970cc60c6277363c80564456a716c2d6634Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
333b7970cc60c6277363c80564456a716c2d6634Stephen Gallagher"This option specifies an additional LDAP search filter criteria that "
333b7970cc60c6277363c80564456a716c2d6634Stephen Gallagher"restrict user searches."
3a8abe04137d028b8ebd1cb33152aefa55893efbStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3a8abe04137d028b8ebd1cb33152aefa55893efbStephen Gallagher"This option is <emphasis>deprecated</emphasis> in favor of the syntax used "
3a8abe04137d028b8ebd1cb33152aefa55893efbStephen Gallagher"by ldap_user_search_base."
333b7970cc60c6277363c80564456a716c2d6634Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
333b7970cc60c6277363c80564456a716c2d6634Stephen Gallagher" ldap_user_search_filter = (loginShell=/bin/tcsh)\n"
333b7970cc60c6277363c80564456a716c2d6634Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
333b7970cc60c6277363c80564456a716c2d6634Stephen Gallagher"This filter would restrict user searches to users that have their shell set "
333b7970cc60c6277363c80564456a716c2d6634Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
333b7970cc60c6277363c80564456a716c2d6634Stephen Gallaghermsgid "ldap_group_search_filter (string)"
333b7970cc60c6277363c80564456a716c2d6634Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
333b7970cc60c6277363c80564456a716c2d6634Stephen Gallagher"This option specifies an additional LDAP search filter criteria that "
333b7970cc60c6277363c80564456a716c2d6634Stephen Gallagher"restrict group searches."
3a8abe04137d028b8ebd1cb33152aefa55893efbStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3a8abe04137d028b8ebd1cb33152aefa55893efbStephen Gallagher"This option is <emphasis>deprecated</emphasis> in favor of the syntax used "
3a8abe04137d028b8ebd1cb33152aefa55893efbStephen Gallagher"by ldap_group_search_base."
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "ldap_sudo_search_base (string)"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "ldap_autofs_search_base (string)"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"These options are supported by LDAP domains, but they should be used with "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"caution. Please include them in your configuration only if you know what you "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"are doing. <placeholder type=\"variablelist\" id=\"0\"/>"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"The following example assumes that SSSD is correctly configured and LDAP is "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"set to one of the domains in the <replaceable>[domains]</replaceable> "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><programlisting>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher" id_provider = ldap\n"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher" auth_provider = ldap\n"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher" ldap_uri = ldap://ldap.mydomain.org\n"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher" ldap_search_base = dc=mydomain,dc=org\n"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher" ldap_tls_reqcert = demand\n"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher" cache_credentials = true\n"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <refsect1><refsect2><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#: sssd-ldap.5.xml:2385 sssd-simple.5.xml:139 sssd-ipa.5.xml:748
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#: sssd-ad.5.xml:296 sssd-sudo.5.xml:56 sssd-sudo.5.xml:78 sssd-krb5.5.xml:515
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "<placeholder type=\"programlisting\" id=\"0\"/>"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><title>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#: sssd-ldap.5.xml:2398 sssd_krb5_locator_plugin.8.xml:61 sssd-ad.5.xml:311
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"The descriptions of some of the configuration options in this manual page "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"distribution."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <refentryinfo>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<productname>SSSD</productname> <orgname>The SSSD upstream - http://"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refnamediv><refname>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "pam_sss"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refnamediv><refpurpose>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "PAM module for SSSD"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</"
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher"replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<command>pam_sss.so</command> is the PAM interface to the System Security "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"Services daemon (SSSD). Errors and results are logged through "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"<command>syslog(3)</command> with the LOG_AUTHPRIV facility."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallaghermsgid "<option>quiet</option>"
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallaghermsgid "Suppress log messages for unknown users."
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "<option>forward_pass</option>"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"If <option>forward_pass</option> is set the entered password is put on the "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"stack for other PAM modules to use."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "<option>use_first_pass</option>"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"The argument use_first_pass forces the module to use a previous stacked "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"modules password and will never prompt the user - if no password is "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"available or the password is not appropriate, the user will be denied access."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "<option>use_authtok</option>"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"When password changing enforce the module to set the new password to the one "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"provided by a previously stacked password module."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "<option>retry=N</option>"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"If specified the user is asked another N times for a password if "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"authentication fails. Default is 0."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Please note that this option might not work as expected if the application "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"calling PAM handles the user dialog on its own. A typical example is "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<command>sshd</command> with <option>PasswordAuthentication</option>."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><title>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "MODULE TYPES PROVIDED"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"All module types (<option>account</option>, <option>auth</option>, "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<option>password</option> and <option>session</option>) are provided."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><title>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"If a password reset by root fails, because the corresponding SSSD provider "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"does not support password resets, an individual message can be displayed. "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"This message can e.g. contain instructions about how to reset a password."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"filename> where LOC stands for a locale string returned by <citerefentry> "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"citerefentry>. If there is no matching file the content of "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"the owner of the files and only root may have read and write permissions "
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher"while all other users must have only read permissions."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"These files are searched in the directory <filename>/etc/sssd/customize/"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refnamediv><refname>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "sssd_krb5_locator_plugin"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"used by the Kerberos provider of <citerefentry> <refentrytitle>sssd</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> to tell the Kerberos "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"libraries what Realm and which KDC to use. Typically this is done in "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"manvolnum> </citerefentry> which is always read by the Kerberos libraries. "
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher"To simplify the configuration the Realm and the KDC can be defined in "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"manvolnum> </citerefentry> as described in <citerefentry> "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<refentrytitle>sssd-krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"citerefentry>"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"</citerefentry> puts the Realm and the name or IP address of the KDC into "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"the environment variables SSSD_KRB5_REALM and SSSD_KRB5_KDC respectively. "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"When <command>sssd_krb5_locator_plugin</command> is called by the kerberos "
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher"libraries it reads and evaluates these variables and returns them to the "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Not all Kerberos implementations support the use of plugins. If "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<command>sssd_krb5_locator_plugin</command> is not available on your system "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"you have to edit /etc/krb5.conf to reflect your Kerberos setup."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"debug messages will be sent to stderr."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refnamediv><refname>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#: sssd-simple.5.xml:10 sssd-simple.5.xml:16
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "sssd-simple"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refnamediv><refpurpose>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "the configuration file for SSSD's 'simple' access-control provider"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"This manual page describes the configuration of the simple access-control "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"citerefentry> manual page."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"The simple access provider grants or denies access based on an access or "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"deny list of user or group names. The following rules apply:"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "If all lists are empty, access is granted"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"If any list is provided, the order of evaluation is allow,deny. This means "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"that any matching deny rule will supersede any matched allow rule."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"If either or both \"allow\" lists are provided, all users are denied unless "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"they appear in the list."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"If only \"deny\" lists are provided, all users are granted access unless "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"they appear in the list."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "simple_allow_users (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Comma separated list of users who are allowed to log in."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "simple_deny_users (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Comma separated list of users who are explicitly denied access."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "simple_allow_groups (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"Comma separated list of groups that are allowed to log in. This applies only "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"to groups within this SSSD domain. Local groups are not evaluated."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "simple_deny_groups (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Comma separated list of groups that are explicitly denied access. This "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"applies only to groups within this SSSD domain. Local groups are not "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#: sssd-simple.5.xml:70 sssd-ipa.5.xml:71 sssd-ad.5.xml:79
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"citerefentry> manual page for details on the configuration of an SSSD "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"domain. <placeholder type=\"variablelist\" id=\"0\"/>"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"Specifying no values for any of the lists is equivalent to skipping it "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"entirely. Beware of this while generating parameters for the simple provider "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"using automated scripts."
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Please note that it is an configuration error if both, simple_allow_users "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"and simple_deny_users, are defined."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"The following example assumes that SSSD is correctly configured and example."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"This examples shows only the simple access provider-specific options."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><programlisting>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher" access_provider = simple\n"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher" simple_allow_users = user1, user2\n"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refnamediv><refname>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "sssd-ipa"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"This manual page describes the configuration of the IPA provider for "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"The IPA provider is a back end used to connect to an IPA server. (Refer to "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"the freeipa.org web site for information about IPA servers.) This provider "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"requires that the machine be joined to the IPA domain; configuration is "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"almost entirely self-discovered and obtained directly from the server."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"The IPA provider accepts the same options used by the <citerefentry> "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"citerefentry> identity provider and the <citerefentry> <refentrytitle>sssd-"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"krb5</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> authentication "
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher"provider with some exceptions described below."
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher"However, it is neither necessary nor recommended to set these options. IPA "
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher"provider can also be used as an access and chpass provider. As an access "
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher"provider it uses HBAC (host-based access control) rules. Please refer to "
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher"freeipa.org for more information about HBAC. No configuration of access "
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher"provider is required on the client side."
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"The IPA provider will use the PAC responder if the Kerberos tickets of users "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"from trusted realms contain a PAC. To make configuration easier the PAC "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"responder is started automatically if the IPA ID provider is configured."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ipa_domain (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Specifies the name of the IPA domain. This is optional. If not provided, "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"the configuration domain name is used."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "ipa_server, ipa_backup_server (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher"The comma-separated list of IP addresses or hostnames of the IPA servers to "
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher"which SSSD should connect in the order of preference. For more information "
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher"This is optional if autodiscovery is enabled. For more information on "
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ipa_hostname (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Optional. May be set on machines where the hostname(5) does not reflect the "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"fully qualified name used in the IPA domain to identify this host."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozekmsgid "dyndns_update (boolean)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Optional. This option tells SSSD to automatically update the DNS server "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"built into FreeIPA v2 with the IP address of this client. The update is "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"secured using GSS-TSIG. The IP address of the IPA LDAP connection is used "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"for the updates, if it is not otherwise specified by using the "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"<quote>dyndns_iface</quote> option."
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, "
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"the default Kerberos realm must be set properly in /etc/krb5.conf"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"emphasis> option, users should migrate to using <emphasis>dyndns_update</"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"emphasis> in their config file."
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozekmsgid "dyndns_ttl (integer)"
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"The TTL to apply to the client DNS record when updating it. If "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"dyndns_update is false this has no effect. This will override the TTL "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"serverside if set by an administrator."
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"emphasis> option, users should migrate to using <emphasis>dyndns_ttl</"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"emphasis> in their config file."
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozekmsgid "Default: 1200 (seconds)"
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozekmsgid "dyndns_iface (string)"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"Optional. Applicable only when dyndns_update is true. Choose the interface "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"whose IP address should be used for dynamic DNS updates."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"emphasis> option, users should migrate to using <emphasis>dyndns_iface</"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"emphasis> in their config file."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: Use the IP address of the IPA LDAP connection"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozekmsgid "ipa_enable_dns_sites (boolean)"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozekmsgid "Enables DNS sites - location based service discovery."
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"If true and service discovery (see Service Discovery paragraph at the bottom "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"of the man page) is enabled, then the SSSD will first attempt location "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"based discovery using a query that contains \"_location.hostname.example.com"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"\" and then fall back to traditional SRV discovery. If the location based "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"discovery succeeds, the IPA servers located with the location based "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"discovery are treated as primary servers and the IPA servers located using "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"the traditional SRV discovery are used as back up servers"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozekmsgid "dyndns_refresh_interval (integer)"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"How often should the back end perform periodic DNS update in addition to the "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"automatic update performed when the back end goes online. This option is "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"optional and applicable only when dyndns_update is true."
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozekmsgid "dyndns_update_ptr (bool)"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"Whether the PTR record should also be explicitly updated when updating the "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"client's DNS records. Applicable only when dyndns_update is true."
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"This option should be False in most IPA deployments as the IPA server "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"generates the PTR records automatically when forward records are changed."
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozekmsgid "Default: False (disabled)"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozekmsgid "dyndns_force_tcp (bool)"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"Whether the nsupdate utility should default to using TCP for communicating "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"with the DNS server."
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozekmsgid "Default: False (let nsupdate choose the protocol)"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "ipa_hbac_search_base (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallaghermsgid "Optional. Use the given string as search base for HBAC related objects."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: Use base DN"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "ipa_host_search_base (string)"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "Optional. Use the given string as search base for host objects."
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#: sssd-ipa.5.xml:280 sssd-ipa.5.xml:304 sssd-ipa.5.xml:323 sssd-ipa.5.xml:342
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"See <quote>ldap_search_base</quote> for information about configuring "
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"multiple search bases."
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"If filter is given in any of search bases and "
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"<emphasis>ipa_hbac_support_srchost</emphasis> is set to False, the filter "
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"will be ignored."
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek#. type: Content of: <listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#: sssd-ipa.5.xml:290 sssd-ipa.5.xml:309 include/ldap_search_bases.xml:23
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek#: include/ldap_search_bases_experimental.xml:23
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozekmsgid "Default: the value of <emphasis>ldap_search_base</emphasis>"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "ipa_selinux_search_base (string)"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "Optional. Use the given string as search base for SELinux user maps."
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallaghermsgid "ipa_subdomains_search_base (string)"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallaghermsgid "Optional. Use the given string as search base for trusted domains."
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallaghermsgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallaghermsgid "ipa_master_domain_search_base (string)"
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallaghermsgid "Optional. Use the given string as search base for master domain object."
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallaghermsgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>"
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "krb5_validate (boolean)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Verify with the help of krb5_keytab that the TGT obtained has not been "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Note that this default differs from the traditional Kerberos provider back "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"The name of the Kerberos realm. This is optional and defaults to the value "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"of <quote>ipa_domain</quote>."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"The name of the Kerberos realm has a special meaning in IPA - it is "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"converted into the base DN to use for performing LDAP operations."
3a8abe04137d028b8ebd1cb33152aefa55893efbStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher"Specifies if the host and user principal should be canonicalized when "
3a8abe04137d028b8ebd1cb33152aefa55893efbStephen Gallagher"connecting to IPA LDAP and also for AS requests. This feature is available "
3a8abe04137d028b8ebd1cb33152aefa55893efbStephen Gallagher"with MIT Kerberos >= 1.7"
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallaghermsgid "ipa_hbac_refresh (integer)"
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher"The amount of time between lookups of the HBAC rules against the IPA server. "
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher"This will reduce the latency and load on the IPA server if there are many "
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher"access-control requests made in a short period."
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallaghermsgid "Default: 5 (seconds)"
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozekmsgid "ipa_hbac_selinux (integer)"
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"The amount of time between lookups of the SELinux maps against the IPA "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"server. This will reduce the latency and load on the IPA server if there are "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"many user login requests made in a short period."
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallaghermsgid "ipa_hbac_treat_deny_as (string)"
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher"This option specifies how to treat the deprecated DENY-type HBAC rules. As "
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher"of FreeIPA v2.1, DENY rules are no longer supported on the server. All users "
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher"of FreeIPA will need to migrate their rules to use only the ALLOW rules. The "
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher"client will support two modes of operation during this transition period:"
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher"<emphasis>DENY_ALL</emphasis>: If any HBAC DENY rules are detected, all "
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher"users will be denied access."
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher"<emphasis>IGNORE</emphasis>: SSSD will ignore any DENY rules. Be very "
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher"careful with this option, as it may result in opening unintended access."
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
9643e7da1a54a9edb2360ab8f855664a8b4397caStephen Gallaghermsgid "Default: DENY_ALL"
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallaghermsgid "ipa_hbac_support_srchost (boolean)"
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher"If this is set to false, then srchost as given to SSSD by PAM will be "
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"Note that if set to <emphasis>False</emphasis>, this option casuses filters "
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"given in <emphasis>ipa_host_search_base</emphasis> to be ignored;"
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
292cbb3fbe41bb7ee09b67c3ec59ab7c7ba5220eStephen Gallaghermsgid "ipa_automount_location (string)"
292cbb3fbe41bb7ee09b67c3ec59ab7c7ba5220eStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
292cbb3fbe41bb7ee09b67c3ec59ab7c7ba5220eStephen Gallaghermsgid "The automounter location this IPA client will be using"
292cbb3fbe41bb7ee09b67c3ec59ab7c7ba5220eStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
292cbb3fbe41bb7ee09b67c3ec59ab7c7ba5220eStephen Gallaghermsgid "Default: The location named \"default\""
292cbb3fbe41bb7ee09b67c3ec59ab7c7ba5220eStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallaghermsgid "ipa_netgroup_member_of (string)"
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallaghermsgid "The LDAP attribute that lists netgroup's memberships."
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallaghermsgid "ipa_netgroup_member_user (string)"
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher"The LDAP attribute that lists system users and groups that are direct "
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher"members of the netgroup."
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallaghermsgid "Default: memberUser"
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallaghermsgid "ipa_netgroup_member_host (string)"
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher"The LDAP attribute that lists hosts and host groups that are direct members "
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher"of the netgroup."
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallaghermsgid "Default: memberHost"
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallaghermsgid "ipa_netgroup_member_ext_host (string)"
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher"The LDAP attribute that lists FQDNs of hosts and host groups that are "
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher"members of the netgroup."
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallaghermsgid "Default: externalHost"
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallaghermsgid "ipa_netgroup_domain (string)"
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallaghermsgid "The LDAP attribute that contains NIS domain name of the netgroup."
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallaghermsgid "Default: nisDomainName"
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallaghermsgid "ipa_host_object_class (string)"
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallaghermsgid "The object class of a host entry in LDAP."
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallaghermsgid "Default: ipaHost"
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallaghermsgid "ipa_host_fqdn (string)"
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallaghermsgid "The LDAP attribute that contains FQDN of the host."
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallaghermsgid "Default: fqdn"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "ipa_selinux_usermap_object_class (string)"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "ipa_selinux_usermap_name (string)"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "The LDAP attribute that contains the name of SELinux usermap."
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "ipa_selinux_usermap_member_user (string)"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"The LDAP attribute that contains all users / groups this rule match against."
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "ipa_selinux_usermap_member_host (string)"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"The LDAP attribute that contains all hosts / hostgroups this rule match "
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "ipa_selinux_usermap_see_also (string)"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"The LDAP attribute that contains DN of HBAC rule which can be used for "
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"matching instead of memberUser and memberHost"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "Default: seeAlso"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "ipa_selinux_usermap_selinux_user (string)"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "The LDAP attribute that contains SELinux user string itself."
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "Default: ipaSELinuxUser"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "ipa_selinux_usermap_enabled (string)"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallagher"The LDAP attribute that contains whether or not is user map enabled for "
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "Default: ipaEnabledFlag"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "ipa_selinux_usermap_user_category (string)"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "The LDAP attribute that contains user category such as 'all'."
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "Default: userCategory"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "ipa_selinux_usermap_host_category (string)"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "The LDAP attribute that contains host category such as 'all'."
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "Default: hostCategory"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "ipa_selinux_usermap_uuid (string)"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "The LDAP attribute that contains unique ID of the user map."
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "Default: ipaUniqueID"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "ipa_host_ssh_public_key (string)"
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "The LDAP attribute that contains the host's SSH public keys."
056302a92862fda16351d7192600746746f38e5dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
056302a92862fda16351d7192600746746f38e5dStephen Gallaghermsgid "Default: ipaSshPubKey"
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozekmsgid "SUBDOMAINS PROVIDER"
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"The IPA subdomains provider behaves slightly differently if it is configured "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"explicitly or implicitly."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"If the option 'subdomains_provider = ipa' is found in the domain section of "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"sssd.conf, the IPA subdomains provider is configured explicitly, and all "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"subdomain requests are sent to the IPA server if necessary."
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"If the option 'subdomains_provider' is not set in the domain section of sssd."
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"conf but there is the option 'id_provider = ipa', the IPA subdomains "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"provider is configured implicitly. In this case, if a subdomain request "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"fails and indicates that the server does not support subdomains, i.e. is not "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"configured for trusts, the IPA subdomains provider is disabled. After an "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"hour or after the IPA provider goes online, the subdomains provider is "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"enabled again."
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"The following example assumes that SSSD is correctly configured and example."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"This examples shows only the ipa provider-specific options."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><programlisting>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher" id_provider = ipa\n"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher" ipa_hostname = myhost.example.com\n"
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozekmsgid "sssd-ad"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"This manual page describes the configuration of the AD provider for "
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE "
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</"
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page."
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"The AD provider is a back end used to connect to an Active Directory server. "
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"This provider requires that the machine be joined to the AD domain and a "
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"keytab is available."
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"The AD provider supports connecting to Active Directory 2008 R2 or later. "
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"Earlier versions may work, but are unsupported."
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"The AD provider accepts the same options used by the <citerefentry> "
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"citerefentry> identity provider and the <citerefentry> <refentrytitle>sssd-"
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"krb5</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> authentication "
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"provider with some exceptions described below."
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"However, it is neither necessary nor recommended to set these options. The "
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"AD provider can also be used as an access and chpass provider. No "
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"configuration of the access provider is required on the client side."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><programlisting>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"ldap_id_mapping = False\n"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"By default, the AD provider will map UID and GID values from the objectSID "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"parameter in Active Directory. For details on this, see the <quote>ID "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"MAPPING</quote> section below. If you want to disable ID mapping and instead "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"rely on POSIX attributes defined in Active Directory, you should set "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"<placeholder type=\"programlisting\" id=\"0\"/> Users, groups and other "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"entities served by SSSD are always treated as case-insensitive in the AD "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"provider for compatibility with Active Directory's LDAP implementation."
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozekmsgid "ad_domain (string)"
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"Specifies the name of the Active Directory domain. This is optional. If not "
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"provided, the configuration domain name is used."
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"For proper operation, this option should be specified as the lower-case "
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"version of the long version of the Active Directory domain."
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"The short domain name (also known as the NetBIOS or the flat name) is "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"autodetected by the SSSD."
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "ad_server, ad_backup_server (string)"
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"The comma-separated list of IP addresses or hostnames of the AD servers to "
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"which SSSD should connect in order of preference. For more information on "
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"failover and server redundancy, see the <quote>FAILOVER</quote> section. "
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"This is optional if autodiscovery is enabled. For more information on "
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section."
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozekmsgid "ad_hostname (string)"
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"Optional. May be set on machines where the hostname(5) does not reflect the "
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"fully qualified name used in the Active Directory domain to identify this "
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"This field is used to determine the host principal in use in the keytab. It "
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"must match the hostname for which the keytab was issued."
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozekmsgid "ad_enable_dns_sites (boolean)"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"If true and service discovery (see Service Discovery paragraph at the bottom "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"of the man page) is enabled, the SSSD will first attempt to discover the "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"Active Directory server to connect to using the Active Directory Site "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"Discovery and fall back to the DNS SRV records if no AD site is found. The "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"DNS SRV configuration, including the discovery domain, is used during site "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"discovery as well."
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"Optional. This option tells SSSD to automatically update the Active "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"Directory DNS server with the IP address of this client. The update is "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"secured using GSS-TSIG. As a consequence, the Active Directory administrator "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"only needs to allow secure updates for the DNS zone. The IP address of the "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"AD LDAP connection is used for the updates, if it is not otherwise specified "
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek"by using the <quote>dyndns_iface</quote> option."
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozekmsgid "Default: 3600 (seconds)"
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
b20208b80e99abb79c00d5ec526caa9465859c52Jakub Hrozekmsgid "Default: Use the IP address of the AD LDAP connection"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozekmsgid "krb5_use_enterprise_principal (boolean)"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"Specifies if the user principal should be treated as enterprise principal. "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"See section 5 of RFC 6806 for more details about enterprise principals."
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"The following example assumes that SSSD is correctly configured and example."
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"This example shows only the AD provider-specific options."
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><programlisting>
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"id_provider = ad\n"
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"auth_provider = ad\n"
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"access_provider = ad\n"
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"chpass_provider = ad\n"
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"ad_hostname = client.example.com\n"
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"ad_domain = example.com\n"
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><programlisting>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"access_provider = ldap\n"
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"ldap_access_order = expire\n"
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"ldap_account_expire_policy = ad\n"
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"The AD access control provider checks if the account is expired. It has the "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"same effect as the following configuration of the LDAP provider: "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"<placeholder type=\"programlisting\" id=\"0\"/>"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "sssd-sudo"
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozekmsgid "Configuring sudo with the SSSD back end"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"This manual page describes how to configure <citerefentry> "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"to work with <citerefentry> <refentrytitle>sssd</refentrytitle> "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "Configuring sudo to cooperate with SSSD"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"the <emphasis>sudoers</emphasis> entry in <citerefentry> "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"citerefentry>."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"For example, to configure sudo to first lookup rules in the standard "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"manvolnum> </citerefentry> file (which should contain rules that apply to "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"local users) and then in SSSD, the nsswitch.conf file should contain the "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"following line:"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><programlisting>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "sudoers: files sss\n"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"More information about configuring the sudoers search order from the "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"nsswitch.conf file as well as information about the LDAP schema that is used "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"to store sudo rules in the directory can be found in <citerefentry> "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"citerefentry>."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "Configuring SSSD to fetch sudo rules"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"The following example shows how to configure SSSD to download sudo rules "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"from an LDAP server."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><programlisting>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"config_file_version = 2\n"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"services = nss, pam, sudo\n"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"domains = EXAMPLE\n"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"id_provider = ldap\n"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"sudo_provider = ldap\n"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"ldap_uri = ldap://example.com\n"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"When the SSSD is configured to use the IPA provider, the sudo provider is "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"automatically enabled. The sudo search base is configured to use the compat "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"tree (ou=sudoers,$DC)."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "The SUDO rule caching mechanism"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"The biggest challenge, when developing sudo support in SSSD, was to ensure "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"that running sudo with SSSD as the data source provides the same user "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"experience and is as fast as sudo but keeps providing the most current set "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"of rules as possible. To satisfy these requirements, SSSD uses three kinds "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"of updates. They are referred to as full refresh, smart refresh and rules "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"The <emphasis>smart refresh</emphasis> periodically downloads rules that are "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"new or were modified after the last update. Its primary goal is to keep the "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"database growing by fetching only small increments that do not generate "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"large amounts of network traffic."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"in the cache and replaces them with all rules that are stored on the server. "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"This is used to keep the cache consistent by removing every rule which was "
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"deleted from the server. However, full refresh may produce a lot of traffic "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"and thus it should be run only occasionally depending on the size and "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"stability of the sudo rules."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"The <emphasis>rules refresh</emphasis> ensures that we do not grant the user "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"more permission than defined. It is triggered each time the user runs sudo. "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"Rules refresh will find all rules that apply to this user, check their "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"expiration time and redownload them if expired. In the case that any of "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"these rules are missing on the server, the SSSD will do an out of band full "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"refresh because more rules (that apply to other users) may have been deleted."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"If enabled, SSSD will store only rules that can be applied to this machine. "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"This means rules that contain one of the following values in "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<emphasis>sudoHost</emphasis> attribute:"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "keyword ALL"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozekmsgid "wildcard"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "netgroup (in the form \"+netgroup\")"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "hostname or fully qualified domain name of this machine"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "one of the IP addresses of this machine"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "one of the IP addresses of the network (in the form \"address/mask\")"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"There are many configuration options that can be used to adjust the "
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"refentrytitle> <manvolnum>5</manvolnum> </citerefentry>."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refnamediv><refname>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refnamediv><refpurpose>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "System Security Services Daemon"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<command>sssd</command> <arg choice='opt'> <replaceable>options</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"replaceable> </arg>"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<command>SSSD</command> provides a set of daemons to manage access to remote "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"directories and authentication mechanisms. It provides an NSS and PAM "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"interface toward the system and a pluggable backend system to connect to "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"multiple different account sources as well as D-Bus interface. It is also "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"the basis to provide client auditing and policy services for projects like "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"FreeIPA. It provides a more robust database to store local users as well as "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"extended user data."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</"
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallaghermsgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>"
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallaghermsgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages"
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallaghermsgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages"
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallaghermsgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher"<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages"
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
52261fe16203dec6e6f69177c6d0a810b47d073fStephen Gallaghermsgid "<emphasis>0</emphasis>: Disable microseconds in timestamp"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "<option>-f</option>,<option>--debug-to-files</option>"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Send the debug output to files instead of stderr. By default, the log files "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"are stored in <filename>/var/log/sssd</filename> and there are separate log "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"files for every SSSD service and domain."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "<option>-D</option>,<option>--daemon</option>"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Become a daemon after starting up."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "<option>-i</option>,<option>--interactive</option>"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Run in the foreground, don't become a daemon."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "<option>-c</option>,<option>--config</option>"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"Specify a non-default config file. The default is <filename>/etc/sssd/sssd."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"conf</filename>. For reference on the config file syntax and options, "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<manvolnum>5</manvolnum> </citerefentry> manual page."
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallaghermsgid "<option>--version</option>"
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallaghermsgid "Print version number and exit."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><title>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Signals"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"Informs the SSSD to gracefully terminate all of its child processes and then "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"shut down the monitor."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Tells the SSSD to stop writing to its current debug file descriptors and to "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"close and reopen them. This is meant to facilitate log rolling with programs "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"like logrotate."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "SIGUSR1"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Tells the SSSD to simulate offline operation for one minute. This is mostly "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"useful for testing purposes."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "SIGUSR2"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Tells the SSSD to go online immediately. This is mostly useful for testing "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refnamediv><refname>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "sss_obfuscate"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refnamediv><refpurpose>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "obfuscate a clear text password"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"replaceable></arg>"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<command>sss_obfuscate</command> converts a given password into human-"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"unreadable format and places it into appropriate domain section of the SSSD "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"The cleartext password is read from standard input or entered "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"interactively. The obfuscated password is put into "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<quote>ldap_default_authtok_type</quote> parameter is set to "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<quote>obfuscated_password</quote>. Refer to <citerefentry> "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"citerefentry> for more details on these parameters."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Please note that obfuscating the password provides <emphasis>no real "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"security benefit</emphasis> as it is still possible for an attacker to "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"reverse-engineer the password back. Using better authentication mechanisms "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "<option>-s</option>,<option>--stdin</option>"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "The password to obfuscate will be read from standard input."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
ea929f1b022fc2cb77dec89b0e12accef983ec85Jakub Hrozek#: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:79
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"The SSSD domain to use the password in. The default name is <quote>default</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Read the config file specified by the positional parameter."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: <filename>/etc/sssd/sssd.conf</filename>"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refnamediv><refname>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#: sss_useradd.8.xml:10 sss_useradd.8.xml:15
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "sss_useradd"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refnamediv><refpurpose>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "create a new user"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<command>sss_useradd</command> creates a new user account using the values "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"specified on the command line plus the default values from the system."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Set the UID of the user to the value of <replaceable>UID</replaceable>. If "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"not given, it is chosen automatically."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#: sss_useradd.8.xml:55 sss_usermod.8.xml:43 sss_seed.8.xml:100
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#: sss_useradd.8.xml:60 sss_usermod.8.xml:48 sss_seed.8.xml:105
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Any text string describing the user. Often used as the field for the user's "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#: sss_useradd.8.xml:67 sss_usermod.8.xml:55 sss_seed.8.xml:112
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"The home directory of the user account. The default is to append the "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"that as the home directory. The base that is prepended before "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"baseDirectory</quote> setting in sssd.conf."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#: sss_useradd.8.xml:82 sss_usermod.8.xml:66 sss_seed.8.xml:124
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"The user's login shell. The default is currently <filename>/bin/bash</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"filename>. The default can be changed with <quote>user_defaults/"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"defaultShell</quote> setting in sssd.conf."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "A list of existing groups this user is also a member of."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "<option>-m</option>,<option>--create-home</option>"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Create the user's home directory if it does not exist. The files and "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"directories contained in the skeleton directory (which can be defined with "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"the -k option or in the config file) will be copied to the home directory."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "<option>-M</option>,<option>--no-create-home</option>"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Do not create the user's home directory. Overrides configuration settings."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"The skeleton directory, which contains files and directories to be copied in "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"the user's home directory, when the home directory is created by "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<command>sss_useradd</command>."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"This option is only valid if the <option>-m</option> (or <option>--create-"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"home</option>) option is specified, or creation of home directories is set "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"to TRUE in the configuration."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#: sss_useradd.8.xml:152 sss_usermod.8.xml:124
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<option>-Z</option>,<option>--selinux-user</option> "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<replaceable>SELINUX_USER</replaceable>"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"The SELinux user for the user's login. If not specified, the system default "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"will be used."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refnamediv><refname>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "sssd-krb5"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"This manual page describes the configuration of the Kerberos 5 "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"authentication backend for <citerefentry> <refentrytitle>sssd</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"manvolnum> </citerefentry> manual page."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"The Kerberos 5 authentication backend contains auth and chpass providers. It "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"must be paired with an identity provider in order to function properly (for "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"example, id_provider = ldap). Some information required by the Kerberos 5 "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"authentication backend must be provided by the identity provider, such as "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"the user's Kerberos Principal Name (UPN). The configuration of the identity "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"provider should have an entry to specify the UPN. Please refer to the man "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"page for the applicable identity provider for details on how to configure "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"This backend also provides access control based on the .k5login file in the "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"home directory of the user. See <citerefentry> <refentrytitle>.k5login</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"Please note that an empty .k5login file will deny all access to this user. "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"To activate this feature, use 'access_provider = krb5' in your SSSD "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"configuration."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"In the case where the UPN is not available in the identity backend, "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<command>sssd</command> will construct a UPN using the format "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>."
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"Specifies the comma-separated list of IP addresses or hostnames of the "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"Kerberos servers to which SSSD should connect, in the order of preference. "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"For more information on failover and server redundancy, see the "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"<quote>FAILOVER</quote> section. An optional port number (preceded by a "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"colon) may be appended to the addresses or hostnames. If empty, service "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"discovery is enabled; for more information, refer to the <quote>SERVICE "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"DISCOVERY</quote> section."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"The name of the Kerberos realm. This option is required and must be "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "krb5_kpasswd, krb5_backup_kpasswd (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"If the change password service is not running on the KDC, alternative "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"servers can be defined here. An optional port number (preceded by a colon) "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"may be appended to the addresses or hostnames."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"For more information on failover and server redundancy, see the "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"servers to try, the backend is not switched to operate offline if "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"authentication against the KDC is still possible."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: Use the KDC"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "krb5_ccachedir (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Directory to store credential caches. All the substitution sequences of "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"krb5_ccname_template can be used here, too, except %d and %P. If the "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"directory does not exist, it will be created. If %u, %U, %p or %h are used, "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"a private directory belonging to the user is created. Otherwise, a public "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"directory with restricted deletion flag (aka sticky bit, as described in "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"<citerefentry> <refentrytitle>chmod</refentrytitle> <manvolnum>1</manvolnum> "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"</citerefentry> for details) is created."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: /tmp"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "krb5_ccname_template (string)"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#: sssd-krb5.5.xml:169 include/override_homedir.xml:11
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#: sssd-krb5.5.xml:170 include/override_homedir.xml:12
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozekmsgid "login name"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#: sssd-krb5.5.xml:173 include/override_homedir.xml:15
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "login UID"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "principal name"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "realm name"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "home directory"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#: sssd-krb5.5.xml:191 include/override_homedir.xml:19
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "value of krb5ccache_dir"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozekmsgid "the process ID of the SSSD client"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#: sssd-krb5.5.xml:203 include/override_homedir.xml:34
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#: sssd-krb5.5.xml:204 include/override_homedir.xml:35
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozekmsgid "a literal '%'"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher"Location of the user's credential cache. Two credential cache types are "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"currently supported: <quote>FILE</quote> and <quote>DIR</quote>. The cache "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"can be specified either as <replaceable>TYPE:RESIDUAL</replaceable>, or as "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"an absolute path, which implies the <quote>FILE</quote> type. In the "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"template, the following sequences are substituted: <placeholder type="
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"\"variablelist\" id=\"0\"/> If the template ends with 'XXXXXX' mkstemp(3) is "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"used to create a unique filename in a safe way."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: FILE:%d/krb5cc_%U_XXXXXX"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "krb5_auth_timeout (integer)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"Timeout in seconds after an online authentication request or change password "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"request is aborted. If possible, the authentication request is continued "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"Verify with the help of krb5_keytab that the TGT obtained has not been "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"spoofed. The keytab is checked for entries sequentially, and the first entry "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"with a matching realm is used for validation. If no entry matches the realm, "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"the last entry in the keytab is used. This process can be used to validate "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"environments using cross-realm trust by placing the appropriate keytab entry "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"as the last entry or the only entry in the keytab file."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "krb5_keytab (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"The location of the keytab to use when validating credentials obtained from "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "krb5_store_password_if_offline (boolean)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Store the password of the user if the provider is offline and use it to "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"request a TGT when the provider comes online again."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"NOTE: this feature is only available on Linux. Passwords stored in this way "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"are kept in plaintext in the kernel keyring and are potentially accessible "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"by the root user (with difficulty)."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "krb5_renewable_lifetime (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"Request a renewable ticket with a total lifetime, given as an integer "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"immediately followed by a time unit:"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:326 sssd-krb5.5.xml:363
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozekmsgid "<emphasis>s</emphasis> for seconds"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#: sssd-krb5.5.xml:295 sssd-krb5.5.xml:329 sssd-krb5.5.xml:366
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozekmsgid "<emphasis>m</emphasis> for minutes"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#: sssd-krb5.5.xml:298 sssd-krb5.5.xml:332 sssd-krb5.5.xml:369
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozekmsgid "<emphasis>h</emphasis> for hours"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#: sssd-krb5.5.xml:301 sssd-krb5.5.xml:335 sssd-krb5.5.xml:372
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozekmsgid "<emphasis>d</emphasis> for days."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozekmsgid "If there is no unit given, <emphasis>s</emphasis> is assumed."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"NOTE: It is not possible to mix units. To set the renewable lifetime to one "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"and a half hours, use '90m' instead of '1h30m'."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: not set, i.e. the TGT is not renewable"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "krb5_lifetime (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"Request ticket with a lifetime, given as an integer immediately followed by "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"a time unit:"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozekmsgid "If there is no unit given <emphasis>s</emphasis> is assumed."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"NOTE: It is not possible to mix units. To set the lifetime to one and a "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"half hours please use '90m' instead of '1h30m'."
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Default: not set, i.e. the default ticket lifetime configured on the KDC."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozekmsgid "krb5_renew_interval (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"The time in seconds between two checks if the TGT should be renewed. TGTs "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"are renewed if about half of their lifetime is exceeded, given as an integer "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"immediately followed by a time unit:"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozekmsgid "If this option is not set or is 0 the automatic renewal is disabled."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "krb5_use_fast (string)"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"authentication. The following options are supported:"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"<emphasis>never</emphasis> use FAST. This is equivalent to not setting this "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"option at all."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"<emphasis>try</emphasis> to use FAST. If the server does not support FAST, "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"continue the authentication without it."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"<emphasis>demand</emphasis> to use FAST. The authentication fails if the "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"server does not require fast."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Default: not set, i.e. FAST is not used."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozekmsgid "NOTE: a keytab is required to use FAST."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"SSSD is used with an older version of MIT Kerberos, using this option is a "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"configuration error."
333b7970cc60c6277363c80564456a716c2d6634Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
333b7970cc60c6277363c80564456a716c2d6634Stephen Gallaghermsgid "krb5_fast_principal (string)"
333b7970cc60c6277363c80564456a716c2d6634Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
333b7970cc60c6277363c80564456a716c2d6634Stephen Gallaghermsgid "Specifies the server principal to use for FAST."
3a8abe04137d028b8ebd1cb33152aefa55893efbStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
bdd205037059e56484de3174951b22ff8f0f79f8Stephen Gallagher"Specifies if the host and user principal should be canonicalized. This "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"feature is available with MIT Kerberos 1.7 and later versions."
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozekmsgid "Default: false (AD provide: true)"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"If the auth-module krb5 is used in an SSSD domain, the following options "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"must be used. See the <citerefentry> <refentrytitle>sssd.conf</"
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"domain. <placeholder type=\"variablelist\" id=\"0\"/>"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"The following example assumes that SSSD is correctly configured and FOO is "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"one of the domains in the <replaceable>[sssd]</replaceable> section. This "
e5c33e0bd03a2deb8e5011deeb3ae93f960910eeJakub Hrozek"example shows only configuration of Kerberos authentication; it does not "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"include any identity provider."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><programlisting>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher" auth_provider = krb5\n"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher" krb5_server = 192.168.1.1\n"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher" krb5_realm = EXAMPLE.COM\n"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refnamediv><refname>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "sss_groupadd"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refnamediv><refpurpose>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "create a new group"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<command>sss_groupadd</command> creates a new group. These groups are "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"compatible with POSIX groups, with the additional feature that they can "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"contain other groups as members."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"Set the GID of the group to the value of <replaceable>GID</replaceable>. If "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"not given, it is chosen automatically."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refnamediv><refname>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#: sss_userdel.8.xml:10 sss_userdel.8.xml:15
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "sss_userdel"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refnamediv><refpurpose>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "delete a user account"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<command>sss_userdel</command> deletes a user identified by login name "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<replaceable>LOGIN</replaceable> from the system."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "<option>-r</option>,<option>--remove</option>"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Files in the user's home directory will be removed along with the home "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"directory itself and the user's mail spool. Overrides the configuration."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "<option>-R</option>,<option>--no-remove</option>"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Files in the user's home directory will NOT be removed along with the home "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"directory itself and the user's mail spool. Overrides the configuration."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "<option>-f</option>,<option>--force</option>"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"This option forces <command>sss_userdel</command> to remove the user's home "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"directory and mail spool, even if they are not owned by the specified user."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "<option>-k</option>,<option>--kick</option>"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Before actually deleting the user, terminate all his processes."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refnamediv><refname>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "sss_groupdel"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refnamediv><refpurpose>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "delete a group"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<command>sss_groupdel</command> deletes a group identified by its name "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<replaceable>GROUP</replaceable> from the system."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refnamediv><refname>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "sss_groupshow"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refnamediv><refpurpose>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "print properties of a group"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<command>sss_groupshow</command> displays information about a group "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"identified by its name <replaceable>GROUP</replaceable>. The information "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"includes the group ID number, members of the group and the parent group."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "<option>-R</option>,<option>--recursive</option>"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Also print indirect group members in a tree-like hierarchy. Note that this "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"also affects printing parent groups - without <option>R</option>, only the "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"direct parent will be printed."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refnamediv><refname>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#: sss_usermod.8.xml:10 sss_usermod.8.xml:15
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "sss_usermod"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refnamediv><refpurpose>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "modify a user account"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<command>sss_usermod</command> modifies the account specified by "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"<replaceable>LOGIN</replaceable> to reflect the changes that are specified "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"on the command line."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "The home directory of the user account."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "The user's login shell."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"Append this user to groups specified by the <replaceable>GROUPS</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"a comma separated list of group names."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"Remove this user from groups specified by the <replaceable>GROUPS</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"replaceable> parameter."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "<option>-l</option>,<option>--lock</option>"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Lock the user account. The user won't be able to log in."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "<option>-u</option>,<option>--unlock</option>"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Unlock the user account."
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "The SELinux user for the user's login."
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <reference><refentry><refnamediv><refname>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallaghermsgid "sss_cache"
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <reference><refentry><refnamediv><refpurpose>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallaghermsgid "perform cache cleanup"
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"<command>sss_cache</command> <arg choice='opt'> <replaceable>options</"
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"replaceable> </arg>"
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"<command>sss_cache</command> invalidates records in SSSD cache. Invalidated "
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"records are forced to be reloaded from server as soon as related SSSD "
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"backend is online."
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>"
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallaghermsgid "Invalidate specific user."
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallaghermsgid "<option>-U</option>,<option>--users</option>"
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"Invalidate all user records. This option overrides invalidation of specific "
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"user if it was also set."
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>"
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallaghermsgid "Invalidate specific group."
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallaghermsgid "<option>-G</option>,<option>--groups</option>"
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"Invalidate all group records. This option overrides invalidation of specific "
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"group if it was also set."
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</"
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallaghermsgid "Invalidate specific netgroup."
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallaghermsgid "<option>-N</option>,<option>--netgroups</option>"
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"Invalidate all netgroup records. This option overrides invalidation of "
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"specific netgroup if it was also set."
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"<option>-s</option>,<option>--service</option> <replaceable>service</"
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallaghermsgid "Invalidate specific service."
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallaghermsgid "<option>-S</option>,<option>--services</option>"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"Invalidate all service records. This option overrides invalidation of "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"specific service if it was also set."
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallaghermsgid "Invalidate specific autofs maps."
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallaghermsgid "<option>-A</option>,<option>--autofs-maps</option>"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"Invalidate all autofs maps. This option overrides invalidation of specific "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"map if it was also set."
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"<option>-d</option>,<option>--domain</option> <replaceable>domain</"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallaghermsgid "Restrict invalidation process only to a particular domain."
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <reference><refentry><refnamediv><refname>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallaghermsgid "sss_debuglevel"
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <reference><refentry><refnamediv><refpurpose>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallaghermsgid "change debug level while SSSD is running"
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</"
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</"
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"replaceable></arg>"
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"<command>sss_debuglevel</command> changes debug level of SSSD monitor and "
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"providers to <replaceable>NEW_DEBUG_LEVEL</replaceable> while SSSD is "
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallaghermsgid "<replaceable>NEW_DEBUG_LEVEL</replaceable>"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refname>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "sss_seed"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refnamediv><refpurpose>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "seed the SSSD cache with a user"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<command>sss_seed</command> <arg choice='opt'> <replaceable>options</"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<command>sss_seed</command> seeds the SSSD cache with a user entry and "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"temporary password. If a user entry is already present in the SSSD cache "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"then the entry is updated with the temporary password."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"replaceable>"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"Provide the name of the domain in which the user is a member of. The domain "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"is also used to retrieve user information. The domain must be configured in "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"Information retrieved from the domain overrides what is provided in the "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<option>-n</option>,<option>--username</option> <replaceable>USER</"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"replaceable>"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"The username of the entry to be created or modified in the cache. The "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<replaceable>USER</replaceable> option must be provided."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "Set the UID of the user to <replaceable>UID</replaceable>."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "Set the GID of the user to <replaceable>GID</replaceable>."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"Set the home directory of the user to <replaceable>HOME_DIR</replaceable>."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozekmsgid "Set the login shell of the user to <replaceable>SHELL</replaceable>."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"Interactive mode for entering user information. This option will only prompt "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"for information not provided in the options or retrieved from the domain."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"replaceable>"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"Specify file to read user's password from. (if not specified password is "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"prompted for)"
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"The length of the password (or the size of file specified with -p or --"
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"password-file option) must be less than or equal to PASS_MAX bytes (64 bytes "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"on systems with no globally-defined PASS_MAX value)."
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <reference><refentry><refnamediv><refname>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallaghermsgid "sss_ssh_authorizedkeys"
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <reference><refentry><refmeta><manvolnum>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <reference><refentry><refnamediv><refpurpose>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallaghermsgid "get OpenSSH authorized keys"
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> "
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"<replaceable>options</replaceable> </arg> <arg "
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"choice='plain'><replaceable>USER</replaceable></arg>"
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user "
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys "
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of "
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></"
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"citerefentry> for more information)."
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></"
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</"
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"command> for public key user authentication if it is compiled with support "
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"for either <quote>AuthorizedKeysCommand</quote> or <quote>PubkeyAgent</"
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"quote> <citerefentry> <refentrytitle>sshd_config</refentrytitle> "
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"<manvolnum>5</manvolnum></citerefentry> options."
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><programlisting>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallaghermsgid "AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n"
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"If <quote>AuthorizedKeysCommand</quote> is supported, "
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></"
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"citerefentry> can be configured to use it by putting the following directive "
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"in <citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</"
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"manvolnum></citerefentry>: <placeholder type=\"programlisting\" id=\"0\"/>"
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><programlisting>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallaghermsgid "PubKeyAgent /usr/bin/sss_ssh_authorizedkeys %u\n"
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"If <quote>PubkeyAgent</quote> is supported, "
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></"
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"citerefentry> can be configured to use it by using the following directive "
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"for <citerefentry> <refentrytitle>sshd</refentrytitle> <manvolnum>8</"
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"manvolnum></citerefentry> configuration: <placeholder type=\"programlisting"
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"\" id=\"0\"/>"
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>."
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><title>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#: sss_ssh_authorizedkeys.1.xml:93 sss_ssh_knownhostsproxy.1.xml:92
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozekmsgid "EXIT STATUS"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <reference><refentry><refsect1><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#: sss_ssh_authorizedkeys.1.xml:95 sss_ssh_knownhostsproxy.1.xml:94
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"In case of success, an exit value of 0 is returned. Otherwise, 1 is returned."
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <reference><refentry><refnamediv><refname>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallaghermsgid "sss_ssh_knownhostsproxy"
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <reference><refentry><refnamediv><refpurpose>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallaghermsgid "get OpenSSH host keys"
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> "
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"<replaceable>options</replaceable> </arg> <arg "
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"choice='plain'><replaceable>HOST</replaceable></arg> <arg "
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>"
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for "
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH "
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section "
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</"
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"manvolnum></citerefentry> for more information) <filename>/var/lib/sss/"
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"pubconf/known_hosts</filename> and estabilishes connection to the host."
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to "
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"create the connection to the host instead of opening a socket."
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para><programlisting>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n"
dd3ba5c5b7d2a9d109963ae9e6c94fff34872221Stephen Gallagher"GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n"
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><para>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></"
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</"
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"command> for host key authentication by using the following directives for "
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></"
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>"
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>"
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"Use port <replaceable>PORT</replaceable> to connect to the host. By "
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"default, port 22 is used."
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <refsect1><title>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "SERVICE DISCOVERY"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <refsect1><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"The service discovery feature allows back ends to automatically find the "
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"appropriate servers to connect to using a special DNS query. This feature is "
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"not supported for backup servers."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <refsect1><refsect2><title>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#: include/service_discovery.xml:9 include/ldap_id_mapping.xml:57
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Configuration"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <refsect1><refsect2><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"If no servers are specified, the back end automatically uses service "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"discovery to try to find a server. Optionally, the user may choose to use "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"both fixed server addresses and service discovery by inserting a special "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"keyword, <quote>_srv_</quote>, in the list of servers. The order of "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"preference is maintained. This feature is useful if, for example, the user "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"prefers to use service discovery whenever possible, and fall back to a "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"specific server when no servers can be discovered using DNS."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <refsect1><refsect2><title>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "The domain name"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <refsect1><refsect2><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Please refer to the <quote>dns_discovery_domain</quote> parameter in the "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"manvolnum> </citerefentry> manual page for more details."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <refsect1><refsect2><title>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "The protocol"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <refsect1><refsect2><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"The queries usually specify _tcp as the protocol. Exceptions are documented "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"in respective option description."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <refsect1><refsect2><title>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "See Also"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <refsect1><refsect2><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"For more information on the service discovery mechanism, refer to RFC 2782."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: outside any tag (error?)
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "<placeholder type=\"refentryinfo\" id=\"0\"/>"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <refsect1><title>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "FAILOVER"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <refsect1><para>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"The failover feature allows back ends to automatically switch to a different "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"server if the current server fails."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <refsect1><refsect2><title>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Failover Syntax"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <refsect1><refsect2><para>
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"The list of servers is given as a comma-separated list; any number of spaces "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"is allowed around the comma. The servers are listed in order of preference. "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"The list can contain any number of servers."
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek#. type: Content of: <refsect1><refsect2><para>
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"For each failover-enabled config option, two variants exist: "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<emphasis>primary</emphasis> and <emphasis>backup</emphasis>. The idea is "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"that servers in the primary list are preferred and backup servers are only "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"searched if no primary servers can be reached. If a backup server is "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"selected, a timeout of 31 seconds is set. After this timeout SSSD will "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"periodically try to reconnect to one of the primary servers. If it succeeds, "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"it will replace the current active (backup) server."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <refsect1><refsect2><title>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "The Failover Mechanism"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <refsect1><refsect2><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"The failover mechanism distinguishes between a machine and a service. The "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"back end first tries to resolve the hostname of a given machine; if this "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"resolution attempt fails, the machine is considered offline. No further "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"attempts are made to connect to this machine for any other service. If the "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"resolution attempt succeeds, the back end tries to connect to a service on "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"this machine. If the service connection attempt fails, then only this "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"particular service is considered offline and the back end automatically "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"switches over to the next service. The machine is still considered online "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"and might still be tried for another service."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <refsect1><refsect2><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"Further connection attempts are made to machines or services marked as "
1008001f34abb42df75f840db17f14a83f0c21d4Stephen Gallagher"offline after a specified period of time; this is currently hard coded to 30 "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <refsect1><refsect2><para>
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"If there are no more machines to try, the back end as a whole switches to "
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher"offline mode, and then attempts to reconnect every 30 seconds."
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <refsect1><title>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallaghermsgid "ID MAPPING"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <refsect1><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"The ID-mapping feature allows SSSD to act as a client of Active Directory "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"without requiring administrators to extend user attributes to support POSIX "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"attributes for user and group identifiers."
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <refsect1><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"NOTE: When ID-mapping is enabled, the uidNumber and gidNumber attributes are "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"ignored. This is to avoid the possibility of conflicts between automatically-"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"assigned and manually-assigned values. If you need to use manually-assigned "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"values, ALL values must be manually-assigned."
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <refsect1><refsect2><title>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallaghermsgid "Mapping Algorithm"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <refsect1><refsect2><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"Active Directory provides an objectSID for every user and group object in "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"the directory. This objectSID can be broken up into components that "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"represent the Active Directory domain identity and the relative identifier "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"(RID) of the user or group object."
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <refsect1><refsect2><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"The SSSD ID-mapping algorithm takes a range of available UIDs and divides it "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"into equally-sized component sections - called \"slices\"-. Each slice "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"represents the space available to an Active Directory domain."
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <refsect1><refsect2><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"When a user or group entry for a particular domain is encountered for the "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"first time, the SSSD allocates one of the available slices for that domain. "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"In order to make this slice-assignment repeatable on different client "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"machines, we select the slice based on the following algorithm:"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <refsect1><refsect2><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"The SID string is passed through the murmurhash3 algorithm to convert it to "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"a 32-bit hashed value. We then take the modulus of this value with the total "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"number of available slices to pick the slice."
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <refsect1><refsect2><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"NOTE: It is possible to encounter collisions in the hash and subsequent "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"modulus. In these situations, we will select the next available slice, but "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"it may not be possible to reproduce the same exact set of slices on other "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"machines (since the order that they are encountered will determine their "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"slice). In this situation, it is recommended to either switch to using "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"explicit POSIX attributes in Active Directory (disabling ID-mapping) or "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"configure a default domain to guarantee that at least one is always "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"consistent. See <quote>Configuration</quote> for details."
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <refsect1><refsect2><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"Minimum configuration (in the <quote>[domain/DOMAINNAME]</quote> section):"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <refsect1><refsect2><para><programlisting>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"ldap_id_mapping = True\n"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"ldap_schema = ad\n"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <refsect1><refsect2><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"The default configuration results in configuring 10,000 slices, each capable "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"of holding up to 200,000 IDs, starting from 10,001 and going up to "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"2,000,100,000. This should be sufficient for most deployments."
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <refsect1><refsect2><refsect3><title>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallaghermsgid "Advanced Configuration"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallaghermsgid "ldap_idmap_range_min (integer)"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"Specifies the lower bound of the range of POSIX IDs to use for mapping "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"Active Directory user and group SIDs."
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"NOTE: This option is different from <quote>min_id</quote> in that "
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"<quote>min_id</quote> acts to filter the output of requests to this domain, "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"whereas this option controls the range of ID assignment. This is a subtle "
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"distinction, but the good general advice would be to have <quote>min_id</"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"quote> be less-than or equal to <quote>ldap_idmap_range_min</quote>"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek#: include/ldap_id_mapping.xml:95 include/ldap_id_mapping.xml:131
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozekmsgid "Default: 200000"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallaghermsgid "ldap_idmap_range_max (integer)"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"Specifies the upper bound of the range of POSIX IDs to use for mapping "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"Active Directory user and group SIDs."
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"NOTE: This option is different from <quote>max_id</quote> in that "
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"<quote>max_id</quote> acts to filter the output of requests to this domain, "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"whereas this option controls the range of ID assignment. This is a subtle "
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"distinction, but the good general advice would be to have <quote>max_id</"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"quote> be greater-than or equal to <quote>ldap_idmap_range_max</quote>"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozekmsgid "Default: 2000200000"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallaghermsgid "ldap_idmap_range_size (integer)"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"Specifies the number of IDs available for each slice. If the range size "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"does not divide evenly into the min and max values, it will create as many "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"complete slices as it can."
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallaghermsgid "ldap_idmap_default_domain_sid (string)"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"Specify the domain SID of the default domain. This will guarantee that this "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"domain will always be assigned to slice zero in the ID map, bypassing the "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"murmurhash algorithm described above."
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallaghermsgid "ldap_idmap_default_domain (string)"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallaghermsgid "Specify the name of the default domain."
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallaghermsgid "ldap_idmap_autorid_compat (boolean)"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"Changes the behavior of the ID-mapping algorithm to behave more similarly to "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"winbind's <quote>idmap_autorid</quote> algorithm."
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"When this option is configured, domains will be allocated starting with "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"slice zero and increasing monatomically with each additional domain."
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"NOTE: This algorithm is non-deterministic (it depends on the order that "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"users and groups are requested). If this mode is required for compatibility "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"with machines running winbind, it is recommended to also use the "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"<quote>ldap_idmap_default_domain_sid</quote> option to guarantee that at "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"least one domain is consistently allocated to slice zero."
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <varlistentry><term>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozekmsgid "<option>-?</option>,<option>--help</option>"
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallagher#. type: Content of: <varlistentry><listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#: include/param_help.xml:7 include/param_help_py.xml:7
6b0f9cd2ee601121cb7fe1d9ad8ebce782aa8f39Stephen Gallaghermsgid "Display help message and exit."
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <varlistentry><term>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozekmsgid "<option>-h</option>,<option>--help</option>"
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <listitem><para>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"Bit mask that indicates which debug levels will be visible. 0x0010 is the "
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"default value as well as the lowest allowed value, 0xFFF0 is the most "
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"verbose mode. This setting overrides the settings from config file."
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <listitem><para>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallaghermsgid "Currently supported debug levels:"
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <listitem><para>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"<emphasis>0x0010</emphasis>: Fatal failures. Anything that would prevent "
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"SSSD from starting up or causes it to cease running."
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <listitem><para>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"<emphasis>0x0020</emphasis>: Critical failures. An error that doesn't kill "
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"the SSSD, but one that indicates that at least one major feature is not "
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"going to work properly."
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <listitem><para>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"<emphasis>0x0040</emphasis>: Serious failures. An error announcing that a "
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"particular request or operation has failed."
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <listitem><para>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"<emphasis>0x0080</emphasis>: Minor failures. These are the errors that would "
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"percolate down to cause the operation failure of 2."
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <listitem><para>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallaghermsgid "<emphasis>0x0100</emphasis>: Configuration settings."
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <listitem><para>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallaghermsgid "<emphasis>0x0200</emphasis>: Function data."
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <listitem><para>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallaghermsgid "<emphasis>0x0400</emphasis>: Trace messages for operation functions."
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <listitem><para>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"<emphasis>0x1000</emphasis>: Trace messages for internal control functions."
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <listitem><para>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"<emphasis>0x2000</emphasis>: Contents of function-internal variables that "
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"may be interesting."
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <listitem><para>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallaghermsgid "<emphasis>0x4000</emphasis>: Extremely low-level tracing information."
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <listitem><para>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"To log required debug levels, simply add their numbers together as shown in "
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"following examples:"
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <listitem><para>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"<emphasis>Example</emphasis>: To log fatal failures, critical failures, "
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"serious failures and function data use 0x0270."
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <listitem><para>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"<emphasis>Example</emphasis>: To log fatal failures, configuration settings, "
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"function data, trace messages for internal control functions use 0x1310."
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: <listitem><para>
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"<emphasis>Note</emphasis>: This is new format of debug levels introduced in "
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"1.7.0. Older format (numbers from 0-10) is compatible but deprecated."
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher#. type: Content of: outside any tag (error?)
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"<emphasis> This is an experimental feature, please use http://fedorahosted."
2ea6196484055397cc4bc011c5960f790431fa9dStephen Gallagher"org/sssd to report any issues. </emphasis>"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <refsect1><title>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallaghermsgid "THE LOCAL DOMAIN"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <refsect1><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"In order to function correctly, a domain with <quote>id_provider=local</"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"quote> must be created and the SSSD must be running."
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher#. type: Content of: <refsect1><para>
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"The administrator might want to use the SSSD local users instead of "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"traditional UNIX users in cases where the group nesting (see <citerefentry> "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"<refentrytitle>sss_groupadd</refentrytitle> <manvolnum>8</manvolnum> </"
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"citerefentry>) is needed. The local users are also useful for testing and "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"development of the SSSD without having to deploy a full remote server. The "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"<command>sss_user*</command> and <command>sss_group*</command> tools use a "
e59e09b5010f262228bbdeb92a79b733bf5854b3Stephen Gallagher"local LDB storage to store users and groups."
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek#. type: Content of: <refsect1><title>
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozekmsgid "SEE ALSO"
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozekmsgstr "ZIE OOK"
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek#. type: Content of: <refsect1><para>
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </"
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"citerefentry>, <citerefentry> <refentrytitle>sssd.conf</"
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </"
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"<refentrytitle>sssd-simple</refentrytitle><manvolnum>5</manvolnum> </"
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"citerefentry>, <citerefentry> <refentrytitle>sssd-ipa</"
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"<refentrytitle>sssd-ad</refentrytitle><manvolnum>5</manvolnum> </"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"citerefentry>, <phrase condition=\"with_sudo\"> <citerefentry> "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<refentrytitle>sssd-sudo</refentrytitle> <manvolnum>5</manvolnum> </"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"citerefentry>, </phrase> <citerefentry> <refentrytitle>sss_cache</"
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"<refentrytitle>sss_debuglevel</refentrytitle><manvolnum>8</manvolnum> </"
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"citerefentry>, <citerefentry> <refentrytitle>sss_groupadd</"
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"<refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</manvolnum> </"
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"citerefentry>, <citerefentry> <refentrytitle>sss_groupshow</"
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"<refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum> </"
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"citerefentry>, <citerefentry> <refentrytitle>sss_useradd</"
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"<refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> </"
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"<refentrytitle>sss_obfuscate</refentrytitle><manvolnum>8</manvolnum> </"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"citerefentry>, <citerefentry> <refentrytitle>sss_seed</"
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<refentrytitle>sssd_krb5_locator_plugin</refentrytitle><manvolnum>8</"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"manvolnum> </citerefentry>, <phrase condition=\"with_ssh\"> <citerefentry> "
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"<refentrytitle>sss_ssh_authorizedkeys</refentrytitle> <manvolnum>8</"
64a424ec1b268427822c646f7781e26e56c197f6Jakub Hrozek"manvolnum> </citerefentry>, <citerefentry> "
6463ed1dcdd45416468b3fa178bd856b5a9ed2c3Jakub Hrozek"<refentrytitle>sss_ssh_knownhostsproxy</refentrytitle> <manvolnum>8</"
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"manvolnum> </citerefentry>, </phrase> <citerefentry> <refentrytitle>pam_sss</"
65a9065538fd85e6ead925d344e6b421900eb8c2Jakub Hrozek"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek#. type: Content of: <listitem><para>
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"An optional base DN, search scope and LDAP filter to restrict LDAP searches "
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"for this attribute type."
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek#. type: Content of: <listitem><para><programlisting>
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozekmsgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]\n"
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek#. type: Content of: <listitem><para>
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozekmsgid "syntax: <placeholder type=\"programlisting\" id=\"0\"/>"
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek#. type: Content of: <listitem><para>
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek#: include/ldap_search_bases_experimental.xml:13
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"The scope can be one of \"base\", \"onelevel\" or \"subtree\". The filter "
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"must be a valid LDAP search filter as specified by http://www.ietf.org/rfc/"
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek#. type: Content of: <listitem><para>
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek#: include/ldap_search_bases_experimental.xml:19
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"For examples of this syntax, please refer to the <quote>ldap_search_base</"
7a14e8f66c0e932fe2954d792614a3b61d444bd1Jakub Hrozek"quote> examples section."
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <listitem><para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#: include/ldap_search_bases_experimental.xml:27
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"Please note that specifying scope or filter is not supported for searches "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"against an Active Directory Server that might yield a large number of "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"results and trigger the Range Retrieval extension in the response."
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek#. type: Content of: <para>
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"Please note that the automounter only reads the master map on startup, so if "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"any autofs-related changes are made to the sssd.conf, you typically also "
524ceecc11f3d458eb3c1cf1489c3ff6ccb22226Jakub Hrozek"need to restart the automounter daemon after restarting the SSSD."
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <varlistentry><term>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozekmsgid "override_homedir (string)"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozekmsgid "UID number"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozekmsgid "domain name"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozekmsgid "fully qualified user name (user@domain)"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozekmsgid "The original home directory retrieved from the identity provider."
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"Override the user's home directory. You can either provide an absolute value "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"or a template. In the template, the following sequences are substituted: "
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"<placeholder type=\"variablelist\" id=\"0\"/>"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozekmsgid "This option can also be set per-domain."
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <varlistentry><listitem><para><programlisting>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek"override_homedir = /home/%u\n"
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozek#. type: Content of: <varlistentry><listitem><para>
2cb6f28b3a12bb714bf14494d31eb6b6fff64b8bJakub Hrozekmsgid "Default: Not set (SSSD will use the value retrieved from LDAP)"