sssd.conf.5.xml revision 655d723e7babf2ca37f44bb8a546277793c9bec6
0dc2366f7b9f9f36e10909b1e95edbf2a261c2acVenugopal Iyer<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf<reference>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <refmiscinfo class="manual">File Formats and Conventions</refmiscinfo>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </refmeta>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </refnamediv>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf The file has an ini-style syntax and consists of sections and
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf parameters. A section begins with the name of the section in
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf square brackets and continues until the next section begins. An
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf example of section with single and multi-valued parameters:
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <programlisting>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf<replaceable>key</replaceable> = <replaceable>value</replaceable>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf<replaceable>key2</replaceable> = <replaceable>value2,value3</replaceable>
0dc2366f7b9f9f36e10909b1e95edbf2a261c2acVenugopal Iyer </programlisting>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf The data types used are string (no quotes needed), integer
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf A line comment starts with a hash sign (<quote>#</quote>) or a
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Inline comments are not supported.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf All sections can have an optional
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <replaceable>description</replaceable> parameter. Its function
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf is only as a label for the section.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <filename>sssd.conf</filename> must be a regular file, owned by
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf root and only root may read from or write to the file.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </refsect1>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <title>CONFIGURATION SNIPPETS FROM INCLUDE DIRECTORY</title>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf The configuration file <filename>sssd.conf</filename> will
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf include configuration snippets using the include directory
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <filename>conf.d</filename>. This feature is available if
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf SSSD was compiled with libini version 1.3.0 or later.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf to configure SSSD.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf The configuration snippets from <filename>conf.d</filename>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf conflicts occur. If several snippets are present in
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf alphabetical order (based on locale).
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Files included later have higher priority. Numerical
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf visualize the priority (higher number means higher
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf priority).
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf The snippet files require the same owner and permissions
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf root:root and 0600.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </refsect1>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Following options are usable in more than one configuration
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <variablelist>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/debug_levels.xml" />
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf SSSD 1.14 and later also includes the
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf convenience feature. If both are specified, the
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf will be used.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Add a timestamp to the debug messages.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf If journald is enabled for SSSD debug logging this
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf option is ignored.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: true
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Add microseconds to the timestamp in debug messages.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf If journald is enabled for SSSD debug logging this
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf option is ignored.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: false
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </variablelist>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </refsect2>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <title>Options usable in SERVICE and DOMAIN sections</title>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <variablelist>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Timeout in seconds between heartbeats for this
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf service. This is used to ensure that the process
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf is alive and capable of answering requests. Note
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf that after three missed heartbeats the process
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf will terminate itself.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: 10
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </variablelist>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </refsect2>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </refsect1>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Individual pieces of SSSD functionality are provided by special
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf SSSD services that are started and stopped together with SSSD.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf The services are managed by a special service frequently called
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <quote>monitor</quote>. The <quote>[sssd]</quote> section is used
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf to configure the monitor as well as some other important options
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf like the identity domains.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <variablelist>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Indicates what is the syntax of the config
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf file. SSSD 0.6.0 and later use version 2.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Comma separated list of services that are
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf started when sssd itself starts.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf The services' list is optional on platforms
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf where systemd is supported, as they will either
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf be socket or D-Bus activated when needed.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Supported services: nss, pam
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf By default, all services are disabled and the administrator
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf must enable the ones allowed to be used by executing:
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf "systemctl enable sssd-@service@.socket".
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Number of times services should attempt to
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf reconnect in the event of a Data Provider
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf crash or restart before they give up
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: 3
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
5644143a6cf1e70bc2e78d5140970830aae0e8cdQuaker Fang <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang A domain is a database containing user
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf information. SSSD can use more domains
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf at the same time, but at least one
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf must be configured or SSSD won't start.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf This parameter describes the list of domains
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf in the order you want them to be queried.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf A domain name should only consist of alphanumeric
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf ASCII characters, dashes, dots and underscores.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default regular expression that describes how to
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf parse the string containing user name and domain
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf into these components.
5644143a6cf1e70bc2e78d5140970830aae0e8cdQuaker Fang Each domain can have an individual regular
0dc2366f7b9f9f36e10909b1e95edbf2a261c2acVenugopal Iyer expression configured. For some ID providers
0dc2366f7b9f9f36e10909b1e95edbf2a261c2acVenugopal Iyer there are also default regular expressions. See
0dc2366f7b9f9f36e10909b1e95edbf2a261c2acVenugopal Iyer DOMAIN SECTIONS for more info on these regular
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf expressions.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf A <citerefentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </citerefentry>-compatible format that describes how to
5644143a6cf1e70bc2e78d5140970830aae0e8cdQuaker Fang compose a fully qualified name from user name
5644143a6cf1e70bc2e78d5140970830aae0e8cdQuaker Fang and domain name components.
0dc2366f7b9f9f36e10909b1e95edbf2a261c2acVenugopal Iyer The following expansions are supported:
0dc2366f7b9f9f36e10909b1e95edbf2a261c2acVenugopal Iyer <variablelist>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf domain name as specified in the
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf SSSD config file.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf domain flat name. Mostly usable
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf for Active Directory domains, both
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf directly configured or discovered
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf via IPA trusts.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </variablelist>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Each domain can have an individual format string configured.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf see DOMAIN SECTIONS for more info on this option.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf SSSD monitors the state of resolv.conf to
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf identify when it needs to update its internal
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf DNS resolver. By default, we will attempt to
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf use inotify for this, and will fall back to
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf polling resolv.conf every five seconds if
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf inotify cannot be used.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf There are some limited situations where it is
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf preferred that we should skip even trying to
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf use inotify. In these rare cases, this option
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf should be set to 'false'
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: true on platforms where inotify is
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf supported. False on other platforms.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Note: this option will have no effect on
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf platforms where inotify is unavailable. On
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf these platforms, polling will always be used.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Directory on the filesystem where SSSD should
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf store Kerberos replay cache files.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf This option accepts a special value
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf __LIBKRB5_DEFAULTS__ that will instruct SSSD
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf to let libkrb5 decide the appropriate
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf location for the replay cache.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: Distribution-specific and specified
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf at build-time. (__LIBKRB5_DEFAULTS__ if not
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf configured)
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf The user to drop the privileges to where
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf appropriate to avoid running as the
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf root user.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf This option does not work when running socket-activated
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf services, as the user set up to run the processes is
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf set up during compilation time.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf The way to override the systemd unit files is by creating
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Keep in mind that any change in the socket user, group or
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf permissions may result in a non-usable SSSD. The same may
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf occur in case of changes of the user running the NSS
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf responder.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: not set, process will run as root
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf This string will be used as a default domain
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf name for all names without a domain name
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang component. The main use case is environments
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf where the primary domain is intended for managing host
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf policies and all users are located in a trusted domain.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf The option allows those users
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf to log in just with their user name without
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf giving a domain name as well.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Please note that if this option is set all
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf users from the primary domain have to use their
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf fully qualified name, e.g. user@domain.name,
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf to log in. Setting this option changes default
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf of use_fully_qualified_names to True. It is not
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf allowed to use this option together with
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang use_fully_qualified_names set to False.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: not set
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf This parameter will replace spaces (space bar)
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf with the given character for user and group names.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf e.g. (_). User name "john doe" will
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf be "john_doe" This feature was added to
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf help compatibility with shell scripts that have
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf difficulty handling spaces, due to the
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf default field separator in the shell.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Please note it is a configuration error to use
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf a replacement character that might be used in
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf user or group names. If a name contains the
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf replacement character SSSD tries to return the
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf unmodified name but in general the result of a
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf lookup is undefined.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: not set (spaces will not be replaced)
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf With this parameter the certificate verification
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf can be tuned with a comma separated list of
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf options. Supported options are:
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <variablelist>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <para>Disables Online Certificate Status
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Protocol (OCSP) checks. This might be
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf needed if the OCSP servers defined in
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf the certificate are not reachable from
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf the client.</para>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <para>Disables verification completely.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf This option should only be used for
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf testing.</para>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <para>Sets the OCSP default responder
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf which should be used instead of the one
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf mentioned in the certificate. URL must
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf be replaced with the URL of the OCSP
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf default responder e.g.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <para>This option must be used together
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf ocsp_default_responder_signing_cert.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf ocsp_default_responder_signing_cert=NAME</term>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <para>The nickname of the cert to trust
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf (expected) to sign the OCSP responses.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf The certificate with the given nickname
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf must be available in the systems NSS
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang database.</para>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <para>This option must be used together
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf with ocsp_default_responder.</para>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </variablelist>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Unknown options are reported but ignored.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: not set, i.e. do not restrict
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf certificate verification
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf SSSD hooks into the netlink interface to
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf monitor changes to routes, addresses, links
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf and trigger certain actions.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf The SSSD state changes caused by netlink
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf events may be undesirable and can be disabled
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf by setting this option to 'true'
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: false (netlink changes are detected)
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf When this option is enabled, SSSD
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf prepends an implicit domain with
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf any explicitly configured domains.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: false
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: true
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Comma separated list of domains and subdomains
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf representing the lookup order that will be
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf The list doesn't have to include all possible
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf domains as the missing domains will be looked
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf up based on the order they're presented in the
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf The subdomains which are not listed as part of
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf in a random order for each parent domain.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Please, note that when this option is set the
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf output format of all commands is always
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf fully-qualified even when using short names
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf for input.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf In case the administrator wants the output not
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf fully-qualified, the full_name_format option
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf can be used as shown below:
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf However, keep in mind that during login, login
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf applications often canonicalize the username by
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <citerefentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </citerefentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf which, if a shortname is returned for a
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf qualified input (while trying to reach a user
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf which exists in multiple domains) might
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf re-route the login attempt into the domain
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf which users shortnames, making this workaround
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf totally not recommended in cases where
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf usernames may overlap between domains.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: Not set
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </variablelist>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </refsect2>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </refsect1>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Settings that can be used to configure different services
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf are described in this section. They should reside in the
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf for NSS service, the section would be <quote>[nss]</quote>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf These options can be used to configure any service.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <variablelist>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Number of times services should attempt to
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf reconnect in the event of a Data Provider
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf crash or restart before they give up
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: 3
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf This option specifies the maximum number of file
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf descriptors that may be opened at one time by this
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf SSSD process. On systems where SSSD is granted the
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf CAP_SYS_RESOURCE capability, this will be an
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf absolute setting. On systems without this
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf capability, the resulting value will be the lower
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf value of this or the limits.conf "hard" limit.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: 8192 (or limits.conf "hard" limit)
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf This option specifies the number of seconds that
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf a client of an SSSD process can hold onto a file
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf descriptor without communicating on it. This value
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf is limited in order to avoid resource exhaustion
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf on the system. The timeout can't be shorter than
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf 10 seconds. If a lower value is configured, it
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf will be adjusted to 10 seconds.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: 60
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf When SSSD switches to offline mode the amount of
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf time before it tries to go back online will
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf increase based upon the time spent disconnected.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf This value is in seconds and calculated by the
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf following:
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf offline_timeout + random_offset
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf The random offset can increment up to 30 seconds.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf After each unsuccessful attempt to go online,
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf the new interval is recalculated by the following:
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf new_interval = old_interval*2 + random_offset
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang Note that the maximum length of each interval
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang is currently limited to one hour. If the
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang calculated length of new_interval is greater
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang than an hour, it will be forced to one hour.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: 60
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf This option specifies the number of seconds that
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf an SSSD responder process can be up without being
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf used. This value is limited in order to avoid
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf resource exhaustion on the system.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf The minimum acceptable value for this option is 60
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Setting this option to 0 (zero) means that no
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf timeout will be set up to the responder.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf This option only has effect when SSSD is built with
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf systemd support and when services are either socket
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf or D-Bus activated.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: 300
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf This option specifies whether the responder should
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf query all caches before querying the Data Providers.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: false
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </variablelist>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </refsect2>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf These options can be used to configure the
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Name Service Switch (NSS) service.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <variablelist>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf How many seconds should nss_sss cache enumerations
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf (requests for info about all users)
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: 120
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf The entry cache can be set to automatically update
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf entries in the background if they are requested
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf beyond a percentage of the entry_cache_timeout
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf value for the domain.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf For example, if the domain's entry_cache_timeout
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf is set to 30s and entry_cache_nowait_percentage is
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf set to 50 (percent), entries that come in after 15
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf seconds past the last cache update will be
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf returned immediately, but the SSSD will go and
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf update the cache on its own, so that future
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf requests will not need to block waiting for a
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf cache update.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Valid values for this option are 0-99 and
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf represent a percentage of the entry_cache_timeout
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf for each domain. For performance reasons, this
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf percentage will never reduce the nowait timeout to
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf less than 10 seconds.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf (0 disables this feature)
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: 50
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Specifies for how many seconds nss_sss should cache
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf negative cache hits (that is, queries for
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf invalid database entries, like nonexistent ones)
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf before asking the back end again.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: 15
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Specifies for how many seconds nss_sss should keep
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf local users and groups in negative cache before
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf trying to look it up in the back end again.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Exclude certain users or groups from being fetched
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf from the sss NSS database. This is particularly
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf useful for system accounts. This option can also
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf be set per-domain or include fully-qualified names
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf to filter only users from the particular domain.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf NOTE: The filter_groups option doesn't affect
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf inheritance of nested group members, since
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf filtering happens after they are propagated for
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf returning via NSS. E.g. a group having a member
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf group filtered out will still have the member
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf users of the latter listed.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: root
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf If you want filtered user still be group members
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf set this option to false.
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang Default: true
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/override_homedir.xml" />
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/homedir_substring.xml" />
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Set a default template for a user's home directory
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf if one is not specified explicitly by the domain's
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf data provider.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf The available values for this option are the same
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf as for override_homedir.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <programlisting>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azffallback_homedir = /home/%u
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </programlisting>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: not set (no substitution for unset home
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf directories)
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Override the login shell for all users. This
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf option supersedes any other shell options if
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf it takes effect and can be set either in the
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf [nss] section or per-domain.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: not set (SSSD will use the value
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf retrieved from LDAP)
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Restrict user shell to one of the listed values. The order of evaluation is:
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf 1. If the shell is present in
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf 2. If the shell is in the allowed_shells list but
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf value of the shell_fallback parameter.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf 3. If the shell is not in the allowed_shells list and
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf The wildcard (*) can be used to allow any shell.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf The (*) is useful if you want to use
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf shell_fallback in case that user's shell is not
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf of all allowed shells in allowed_shells would be
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf to much overhead.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf An empty string for shell is passed as-is to libc.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf The <quote>/etc/shells</quote> is only read on SSSD start up, which means that
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf a restart of the SSSD is required in case a new shell is installed.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: Not set. The user shell is automatically used.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang Replace any instance of these shells with the shell_fallback
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf The default shell to use if an allowed shell is not
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf installed on the machine.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf The default shell to use if the provider does
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf not return one during lookup. This option can
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf be specified globally in the [nss] section
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang or per-domain.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: not set (Return NULL if no shell is
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf specified and rely on libc to substitute something
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Specifies time in seconds for which the list of
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf subdomains will be considered valid.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: 60
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Specifies time in seconds for which records
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf in the in-memory cache will be valid. Setting this
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf option to zero will disable the in-memory cache.
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang Default: 300
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf WARNING: Disabling the in-memory cache will
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf have significant negative impact on SSSD's
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf performance and should only be used for
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf NOTE: If the environment variable
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf SSS_NSS_USE_MEMCACHE is set to "NO", client
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf applications will not use the fast in-memory
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Some of the additional NSS responder requests can
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf return more attributes than just the POSIX ones
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf defined by the NSS interface. The list of attributes
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf is controlled by this option. It is handled the same
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf the InfoPipe responder (see
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <citerefentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </citerefentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf for details) but with no default values.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf To make configuration more easy the NSS responder
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf will check the InfoPipe option if it is not set for
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf the NSS responder.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: not set, fallback to InfoPipe option
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf The value that NSS operations that return
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf users or groups will return for the
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf This option can also be set per-domain.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </variablelist>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </refsect2>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf These options can be used to configure the
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Pluggable Authentication Module (PAM) service.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <variablelist>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf If the authentication provider is offline, how
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf long should we allow cached logins (in days since
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf the last successful online login).
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: 0 (No limit)
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf If the authentication provider is offline, how
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf many failed login attempts are allowed.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: 0 (No limit)
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf The time in minutes which has to pass after
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf offline_failed_login_attempts has been reached
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf before a new login attempt is possible.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf If set to 0 the user cannot authenticate offline if
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf offline_failed_login_attempts has been reached. Only
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf a successful online authentication can enable
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf offline authentication again.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: 5
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Controls what kind of messages are shown to the user
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf during authentication. The higher the number to more
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf messages are displayed.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Currently sssd supports the following values:
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf information
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: 1
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf A comma separated list of strings which allows to
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf remove (filter) data sent by the PAM responder to
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf pam_sss PAM module. There are different kind of
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf responses sent to pam_sss e.g. messages displayed to
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf the user or environment variables which should be
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf set by pam_sss.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf While messages already can be controlled with the
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf help of the pam_verbosity option this option allows
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf to filter out other kind of responses as well.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Currently the following filters are supported:
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <variablelist>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf variable var_name to any
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf variable var_name to
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </variablelist>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: not set
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Example: ENV:KRB5CCNAME:sudo-i
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf For any PAM request while SSSD is online, the SSSD will
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf attempt to immediately update the cached identity
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf information for the user in order to ensure that
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf authentication takes place with the latest information.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf A complete PAM conversation may perform multiple PAM
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf requests, such as account management and session
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf opening. This option controls (on a
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf per-client-application basis) how long (in seconds) we
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf can cache the identity information to avoid excessive
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf round-trips to the identity provider.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: 5
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Display a warning N days before the password expires.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Please note that the backend server has to provide
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf information about the expiration time of the password.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf If this information is missing, sssd cannot display a
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf If zero is set, then this filter is not applied,
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf i.e. if the expiration warning was received from
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf backend server, it will automatically be displayed.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf This setting can be overridden by setting
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf for a particular domain.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Specifies time in seconds for which the list of
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf subdomains will be considered valid.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: 60
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Specifies the comma-separated list of UID
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf values or user names that are allowed to run
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf PAM conversations against trusted domains.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Users not included in this list can only access
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf domains marked as public with
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf User names are resolved to UIDs at
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: All users are considered trusted
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf by default
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang Please note that UID 0 is always allowed to access
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf the PAM responder even in case it is not in the
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf pam_trusted_users list.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Specifies the comma-separated list of domain names
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf that are accessible even to untrusted users.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Two special values for pam_public_domains option
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf are defined:
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf all (Untrusted users are allowed to access
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf all domains in PAM responder.)
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf none (Untrusted users are not allowed to access
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf any domains PAM in responder.)
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: none
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Allows a custom expiration message to be set,
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf replacing the default 'Permission denied'
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Note: Please be aware that message is only
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf printed for the SSH service unless pam_verbosity
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf is set to 3 (show all messages and debug
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf information).
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <programlisting>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azfpam_account_expired_message = Account expired, please contact help desk.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </programlisting>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: none
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang <term>pam_account_locked_message (string)</term>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Allows a custom lockout message to be set,
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf replacing the default 'Permission denied'
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <programlisting>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azfpam_account_locked_message = Account locked, please contact help desk.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </programlisting>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: none
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Enable certificate based Smartcard authentication.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Since this requires additional communication with
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf the Smartcard which will delay the authentication
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf process this option is disabled by default.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: False
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf The path to the certificate database which contain
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf the PKCS#11 modules to access the Smartcard.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf How many seconds will pam_sss wait for
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf p11_child to finish.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: 10
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Which PAM services are permitted to contact
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: Not set
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </variablelist>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </refsect2>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf These options can be used to configure the sudo service.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf The detailed instructions for configuration of
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <citerefentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </citerefentry> to work with
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <citerefentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </citerefentry> are in the manual page
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <citerefentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </citerefentry>.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <variablelist>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Whether or not to evaluate the sudoNotBefore
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf and sudoNotAfter attributes that implement
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf time-dependent sudoers entries.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: false
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </variablelist>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <variablelist>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Maximum number of expired rules that can be
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf refreshed at once. If number of expired rules
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf is below threshold, those rules are refreshed
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf the threshold is exceeded a
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf triggered instead. This threshold number also
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf applies to IPA sudo command and command group
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: 50
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </variablelist>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </refsect2>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf These options can be used to configure the autofs service.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <variablelist>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Specifies for how many seconds should the
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf autofs responder negative cache hits
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf (that is, queries for invalid map entries,
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf like nonexistent ones) before asking the back
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf end again.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: 15
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </variablelist>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/autofs_restart.xml" />
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </refsect2>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf These options can be used to configure the SSH service.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <variablelist>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Whether or not to hash host names and addresses in
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf the managed known_hosts file.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: true
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf How many seconds to keep a host in the managed
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf known_hosts file after its host keys were requested.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: 180
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Path to a storage of trusted CA certificates. The
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf option is used to validate user certificates before
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf deriving public ssh keys from them.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </variablelist>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </refsect2>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <refsect2 id='PAC_RESPONDER' condition="with_pac_responder">
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf The PAC responder works together with the authorization data
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf plugin for MIT Kerberos sssd_pac_plugin.so and a sub-domain
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf provider. The plugin sends the PAC data during a GSSAPI
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf authentication to the PAC responder. The sub-domain provider
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf collects domain SID and ID ranges of the domain the client is
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf joined to and of remote trusted domains from the local domain
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf controller. If the PAC is decoded and evaluated some of the
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang following operations are done:
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <itemizedlist>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf cache, it is created. The UID is determined with the help
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf of the SID, trusted domains will have UPGs and the GID
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf will have the same value as the UID. The home directory is
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf set based on the subdomain_homedir parameter. The shell will
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf be empty by default, i.e. the system defaults are used, but
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf can be overwritten with the default_shell parameter.</para>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf sssd knows about, the user will be added to those groups.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </itemizedlist>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf These options can be used to configure the PAC responder.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <variablelist>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Specifies the comma-separated list of UID values or
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf user names that are allowed to access the PAC
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf responder. User names are resolved to UIDs at
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: 0 (only the root user is allowed to access
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf the PAC responder)
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang Please note that although the UID 0 is used as the
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf default it will be overwritten with this option. If
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf you still want to allow the root user to access the
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf PAC responder, which would be the typical case, you
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf have to add 0 to the list of allowed UIDs as well.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Lifetime of the PAC entry in seconds. As long as the
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf PAC is valid the PAC data can be used to determine
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf the group memberships of a user.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: 300
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </variablelist>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </refsect2>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Session recording works in conjunction with
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <citerefentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </citerefentry>, a part of tlog package, to log what users see
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf and type when they log in on a text terminal.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <citerefentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </citerefentry>.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf These options can be used to configure session recording.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <variablelist>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf One of the following strings specifying the scope
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf of session recording:
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <variablelist>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf No users are recorded.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf options are recorded.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf All users are recorded.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </variablelist>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: "none"
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf A comma-separated list of users which should have
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf session recording enabled. Matches user names as
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf returned by NSS. I.e. after the possible space
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf replacement, case changes, etc.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: Empty. Matches no users.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf A comma-separated list of groups, members of which
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf should have session recording enabled. Matches
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf group names as returned by NSS. I.e. after the
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf possible space replacement, case changes, etc.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf NOTE: using this option (having it set to
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf anything) has a considerable performance cost,
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf because each uncached request for a user requires
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf retrieving and matching the groups the user is
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf member of.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: Empty. Matches no groups.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </variablelist>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </refsect2>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </refsect1>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf These configuration options can be present in a domain
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf configuration section, that is, in a section called
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <variablelist>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Specifies whether the domain is meant to be used
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf by POSIX-aware clients such as the Name Service Switch
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf or by applications that do not need POSIX data to be
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf present or generated. Only objects from POSIX domains
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf are available to the operating system interfaces and
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf utilities.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf POSIX domains are reachable by all services. Application
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf domains are only reachable from the InfoPipe responder (see
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <citerefentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </citerefentry>) and the PAM responder.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf NOTE: The application domains are currently well tested with
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf For an easy way to configure a non-POSIX domains, please
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: posix
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf UID and GID limits for the domain. If a domain
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf contains an entry that is outside these limits, it
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf is ignored.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf For users, this affects the primary GID limit. The
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf user will not be returned to NSS if either the
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf UID or the primary GID is outside the range. For
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf non-primary group memberships, those that are in
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf range will be reported as expected.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf These ID limits affect even saving entries to
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf cache, not only returning them by name or ID.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: 1 for min_id, 0 (no limit) for max_id
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Determines if a domain can be enumerated. This
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf parameter can have one of the following values:
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf TRUE = Users and groups are enumerated
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf FALSE = No enumerations for this domain
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang Default: FALSE
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Note: Enabling enumeration has a moderate
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang performance impact on SSSD while enumeration
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf is running. It may take up to several minutes
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf after SSSD startup to fully complete enumerations.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf During this time, individual requests for
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf information will go directly to LDAP, though it
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf may be slow, due to the heavy enumeration
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf processing. Saving a large number of entries
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf to cache after the enumeration completes might
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf also be CPU intensive as the memberships have
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf to be recomputed.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf While the first enumeration is running, requests
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf for the complete user or group lists may return
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf no results until it completes.
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang Further, enabling enumeration may increase the time
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf necessary to detect network disconnection, as
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf longer timeouts are required to ensure that
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf enumeration lookups are completed successfully.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf For more information, refer to the man pages for
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf the specific id_provider in use.
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang For the reasons cited above, enabling enumeration
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang is not recommended, especially in large
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang environments.
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Whether any of autodetected trusted domains should
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang be enumerated. The supported values are:
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang <variablelist>
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang <varlistentry>
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang <listitem><para>All discovered trusted domains will be enumerated</para></listitem>
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang </varlistentry>
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang <varlistentry>
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang <listitem><para>No discovered trusted domains will be enumerated</para></listitem>
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang </varlistentry>
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang </variablelist>
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang Optionally, a list of one or more domain
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang names can enable enumeration just for these
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf trusted domains.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: none
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf How many seconds should nss_sss consider
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf entries valid before asking the backend again
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf The cache expiration timestamps are stored
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf as attributes of individual objects in the
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf cache. Therefore, changing the cache timeout only
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf has effect for newly added or expired entries.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf You should run the
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <citerefentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </citerefentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf tool in order to force refresh of entries that
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf have already been cached.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: 5400
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf How many seconds should nss_sss consider
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf user entries valid before asking the backend again
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: entry_cache_timeout
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf How many seconds should nss_sss consider
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf group entries valid before asking the backend again
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: entry_cache_timeout
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf How many seconds should nss_sss consider
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf netgroup entries valid before asking the backend again
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: entry_cache_timeout
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf How many seconds should nss_sss consider
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf service entries valid before asking the backend again
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: entry_cache_timeout
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf How many seconds should sudo consider
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf rules valid before asking the backend again
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: entry_cache_timeout
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf How many seconds should the autofs service
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf consider automounter maps valid before asking
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf the backend again
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: entry_cache_timeout
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf How many seconds to keep a host ssh key after
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf refresh. IE how long to cache the host key
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: entry_cache_timeout
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Specifies how many seconds SSSD has to wait before
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf triggering a background refresh task which will
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf refresh all expired or nearly expired records.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf The background refresh will process users,
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf groups and netgroups in the cache.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf You can consider setting this value to
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf 3/4 * entry_cache_timeout.
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang Default: 0 (disabled)
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Determines if user credentials are also cached
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf in the local LDB cache
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf User credentials are stored in a SHA512 hash, not
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf in plaintext
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: FALSE
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <term>cache_credentials_minimal_first_factor_length (int)</term>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf If 2-Factor-Authentication (2FA) is used and
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf credentials should be saved this value determines
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf the minimal length the first authentication factor
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf (long term password) must have to be saved as SHA512
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang hash into the cache.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf This should avoid that the short PINs of a PIN based
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf 2FA scheme are saved in the cache which would make
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf them easy targets for brute-force attacks.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: 8
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Number of days entries are left in cache after
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf last successful login before being removed during
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf a cleanup of the cache. 0 means keep forever.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf The value of this parameter must be greater than or
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf equal to offline_credentials_expiration.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: 0 (unlimited)
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Display a warning N days before the password expires.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf If zero is set, then this filter is not applied,
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf i.e. if the expiration warning was received from
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf backend server, it will automatically be displayed.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Please note that the backend server has to provide
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf information about the expiration time of the password.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf If this information is missing, sssd cannot display a
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf warning. Also an auth provider has to be configured for
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf the backend.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: 7 (Kerberos), 0 (LDAP)
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf The identification provider used for the domain.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Supported ID providers are:
5644143a6cf1e70bc2e78d5140970830aae0e8cdQuaker Fang <quote>proxy</quote>: Support a legacy NSS provider
5644143a6cf1e70bc2e78d5140970830aae0e8cdQuaker Fang <quote>local</quote>: SSSD internal provider for
5644143a6cf1e70bc2e78d5140970830aae0e8cdQuaker Fang <citerefentry>
5644143a6cf1e70bc2e78d5140970830aae0e8cdQuaker Fang </citerefentry> for more information on
5644143a6cf1e70bc2e78d5140970830aae0e8cdQuaker Fang configuring LDAP.
5644143a6cf1e70bc2e78d5140970830aae0e8cdQuaker Fang <quote>ipa</quote>: FreeIPA and Red Hat Enterprise
5644143a6cf1e70bc2e78d5140970830aae0e8cdQuaker Fang Identity Management provider. See
5644143a6cf1e70bc2e78d5140970830aae0e8cdQuaker Fang <citerefentry>
5644143a6cf1e70bc2e78d5140970830aae0e8cdQuaker Fang </citerefentry> for more information on
5644143a6cf1e70bc2e78d5140970830aae0e8cdQuaker Fang configuring FreeIPA.
5644143a6cf1e70bc2e78d5140970830aae0e8cdQuaker Fang <quote>ad</quote>: Active Directory provider. See
5644143a6cf1e70bc2e78d5140970830aae0e8cdQuaker Fang <citerefentry>
5644143a6cf1e70bc2e78d5140970830aae0e8cdQuaker Fang </citerefentry> for more information on
5644143a6cf1e70bc2e78d5140970830aae0e8cdQuaker Fang configuring Active Directory.
5644143a6cf1e70bc2e78d5140970830aae0e8cdQuaker Fang </varlistentry>
5644143a6cf1e70bc2e78d5140970830aae0e8cdQuaker Fang <varlistentry>
5644143a6cf1e70bc2e78d5140970830aae0e8cdQuaker Fang Use the full name and domain (as formatted by
5644143a6cf1e70bc2e78d5140970830aae0e8cdQuaker Fang the domain's full_name_format) as the user's login
5644143a6cf1e70bc2e78d5140970830aae0e8cdQuaker Fang name reported to NSS.
0dc2366f7b9f9f36e10909b1e95edbf2a261c2acVenugopal Iyer If set to TRUE, all requests to this domain
0dc2366f7b9f9f36e10909b1e95edbf2a261c2acVenugopal Iyer must use fully qualified names. For example,
0dc2366f7b9f9f36e10909b1e95edbf2a261c2acVenugopal Iyer if used in LOCAL domain that contains a "test"
0dc2366f7b9f9f36e10909b1e95edbf2a261c2acVenugopal Iyer wouldn't find the user while <command>getent
0dc2366f7b9f9f36e10909b1e95edbf2a261c2acVenugopal Iyer passwd test@LOCAL</command> would.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf NOTE: This option has no effect on netgroup
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf lookups due to their tendency to include nested
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf netgroups without qualified names. For netgroups,
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf all domains will be searched when an unqualified
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf name is requested.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: FALSE (TRUE if default_domain_suffix is
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Do not return group members for group lookups.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf If set to TRUE, the group membership attribute
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf is not requested from the ldap server, and
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf group members are not returned when processing
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf group lookup calls, such as
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <citerefentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </citerefentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <citerefentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </citerefentry>.
020c47705d28102a8df83a43ddf08e34dde21f22ql As an effect, <quote>getent group
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf $groupname</quote> would return the requested
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf group as if it was empty.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Enabling this option can also make access
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf provider checks for group membership
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf significantly faster, especially for groups
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf containing many members.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Default: FALSE
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf The authentication provider used for the domain.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Supported auth providers are:
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <citerefentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </citerefentry> for more information on configuring LDAP.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <citerefentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </citerefentry> for more information on configuring Kerberos.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Identity Management provider. See
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <citerefentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </citerefentry> for more information on
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf configuring FreeIPA.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <citerefentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </citerefentry> for more information on
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf configuring Active Directory.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <quote>proxy</quote> for relaying authentication to some other PAM target.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf local users
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang is set and can handle authentication requests.
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang </varlistentry>
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang <varlistentry>
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang The access control provider used for the domain.
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang There are two built-in access providers (in
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf addition to any included in installed backends)
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang Internal special providers are:
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <quote>permit</quote> always allow access. It's the only permitted access provider for a local domain.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <citerefentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </citerefentry> for more information on configuring LDAP.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Identity Management provider. See
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <citerefentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </citerefentry> for more information on
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf configuring FreeIPA.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <citerefentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </citerefentry> for more information on
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf configuring Active Directory.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf or deny lists. See <citerefentry>
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang <manvolnum>5</manvolnum></citerefentry> for more
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf information on configuring the simple access module.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf See <citerefentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf information on configuring Kerberos.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <quote>proxy</quote> for relaying access control to another PAM module.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf The provider which should handle change password
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf operations for the domain.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Supported change password providers are:
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf in a LDAP server. See
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <citerefentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </citerefentry> for more information on configuring LDAP.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf password. See
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <citerefentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </citerefentry> for more information on configuring Kerberos.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Identity Management provider. See
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <citerefentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </citerefentry> for more information on
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf configuring FreeIPA.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <citerefentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </citerefentry> for more information on
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf configuring Active Directory.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf to some other PAM target.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <quote>none</quote> disallows password changes explicitly.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf is set and can handle change password requests.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf The SUDO provider used for the domain.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Supported SUDO providers are:
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <citerefentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </citerefentry> for more information on configuring
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf but with IPA default settings.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf but with AD default settings.
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang used if it is set.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf The detailed instructions for configuration of
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf sudo_provider are in the manual page
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang <citerefentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </citerefentry>.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf There are many configuration options that can be
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf used to adjust the behavior. Please refer to
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf "ldap_sudo_*" in
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <citerefentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </citerefentry>.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf periodically downloaded in the background unless
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf the sudo provider is explicitly disabled. Set
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf disable all sudo-related activity in SSSD if you do
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf not want to use sudo with SSSD at all.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf The provider which should handle loading of selinux
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf settings. Note that this provider will be called right
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf after access provider ends.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Supported selinux providers are:
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf from an IPA server. See
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <citerefentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </citerefentry> for more information on configuring IPA.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <quote>none</quote> disallows fetching selinux settings explicitly.
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang is set and can handle selinux loading requests.
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang </varlistentry>
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang <varlistentry>
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang The provider which should handle fetching of
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang subdomains. This value should be always the same as
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf id_provider.
1a932f2eab9b00d713acc4205d96ca2485bf2712Quaker Fang Supported subdomain providers are:
42516a0c6ebf6e259c2abcd1ca315fec43268f39xinghua wen - Sun Microsystems - Beijing China <quote>ipa</quote> to load a list of subdomains
42516a0c6ebf6e259c2abcd1ca315fec43268f39xinghua wen - Sun Microsystems - Beijing China from an IPA server. See
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <citerefentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </citerefentry> for more information on configuring
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf from an Active Directory server. See
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <citerefentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </citerefentry> for more information on configuring
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf the AD provider.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf explicitly.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf used if it is set.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf The provider which configures and manages user session
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf related tasks. The only user session task currently
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf provided is the integration with Fleet Commander, which
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf works only with IPA.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Supported session providers are:
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf related tasks.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf session related tasks.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf is set and can perform session related tasks.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </varlistentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <listitem>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf The autofs provider used for the domain.
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf Supported autofs providers are:
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf <citerefentry>
40db2e2b777b79f3dd0d6d9629593a07f86b9c0azf </citerefentry> for more information on configuring LDAP.
<quote>(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))</quote>
(e.g. RHEL5 and SLES10). Only platforms with
ldap_uri = ldap://ldap.example.com
<quote>[domain/<replaceable>DOMAIN_NAME</replaceable>/<replaceable>TRUSTED_DOMAIN_NAME</replaceable>]</quote>.
ldap_uri = ldap://ldap.example.com
krb5_server = kerberos.example.com
krb5_realm = EXAMPLE.COM