class SSSDConfigException(Exception): pass
class ParsingError(Exception): pass
class AlreadyInitializedError(SSSDConfigException): pass
class NotInitializedError(SSSDConfigException): pass
class NoOutputFileError(SSSDConfigException): pass
class NoServiceError(SSSDConfigException): pass
class NoSectionError(SSSDConfigException): pass
class NoOptionError(SSSDConfigException): pass
class ServiceNotRecognizedError(SSSDConfigException): pass
class ServiceAlreadyExists(SSSDConfigException): pass
class NoDomainError(SSSDConfigException): pass
class DomainNotRecognized(SSSDConfigException): pass
class DomainAlreadyExistsError(SSSDConfigException): pass
class NoSuchProviderError(SSSDConfigException): pass
class NoSuchProviderSubtypeError(SSSDConfigException): pass
class ProviderSubtypeInUse(SSSDConfigException): pass
# TODO: This needs to be made external
'debug' : _('Set the verbosity of the debug logging'),
'debug_level' : _('Set the verbosity of the debug logging'),
'debug_timestamps' : _('Include timestamps in debug logs'),
'debug_microseconds' : _('Include microseconds in timestamps in debug logs'),
'debug_to_files' : _('Write debug messages to logfiles'),
'timeout' : _('Watchdog timeout before restarting service'),
'command' : _('Command to start service'),
'reconnection_retries' : _('Number of times to attempt connection to Data Providers'),
'fd_limit' : _('The number of file descriptors that may be opened by this responder'),
'client_idle_timeout' : _('Idle time before automatic disconnection of a client'),
'services' : _('SSSD Services to start'),
'domains' : _('SSSD Domains to start'),
'sbus_timeout' : _('Timeout for messages sent over the SBUS'),
're_expression' : _('Regex to parse username and domain'),
'full_name_format' : _('Printf-compatible format for displaying fully-qualified names'),
'krb5_rcache_dir' : _('Directory on the filesystem where SSSD should store Kerberos replay cache files.'),
'default_domain_suffix' : _('Domain to add to names without a domain component.'),
'user' : _('The user to drop privileges to'),
'certificate_verification' : _('Tune certificate verification'),
'override_space': _('All spaces in group or user names will be replaced with this character'),
'disable_netlink' : _('Tune sssd to honor or ignore netlink state changes'),
'enum_cache_timeout' : _('Enumeration cache timeout length (seconds)'),
'entry_cache_no_wait_timeout' : _('Entry cache background update timeout length (seconds)'),
'entry_negative_timeout' : _('Negative cache timeout length (seconds)'),
'local_negative_timeout' : _('Files negative cache timeout length (seconds)'),
'filter_users' : _('Users that SSSD should explicitly ignore'),
'filter_groups' : _('Groups that SSSD should explicitly ignore'),
'filter_users_in_groups' : _('Should filtered users appear in groups'),
'pwfield' : _('The value of the password field the NSS provider should return'),
'override_homedir' : _('Override homedir value from the identity provider with this value'),
'fallback_homedir' : _('Substitute empty homedir value from the identity provider with this value'),
'override_shell': _('Override shell value from the identity provider with this value'),
'allowed_shells' : _('The list of shells users are allowed to log in with'),
'vetoed_shells' : _('The list of shells that will be vetoed, and replaced with the fallback shell'),
'shell_fallback' : _('If a shell stored in central directory is allowed but not available, use this fallback'),
'default_shell': _('Shell to use if the provider does not list one'),
'memcache_timeout': _('How long will be in-memory cache records valid'),
'user_attributes': _('List of user attributes the NSS responder is allowed to publish'),
'offline_credentials_expiration' : _('How long to allow cached logins between online logins (days)'),
'offline_failed_login_attempts' : _('How many failed logins attempts are allowed when offline'),
'offline_failed_login_delay' : _('How long (minutes) to deny login after offline_failed_login_attempts has been reached'),
'pam_verbosity' : _('What kind of messages are displayed to the user during authentication'),
'pam_id_timeout' : _('How many seconds to keep identity information cached for PAM requests'),
'pam_pwd_expiration_warning' : _('How many days before password expiration a warning should be displayed'),
'pam_trusted_users' : _('List of trusted uids or user\'s name'),
'pam_public_domains' : _('List of domains accessible even for untrusted users.'),
'pam_account_expired_message' : _('Message printed when user account is expired.'),
'pam_account_locked_message' : _('Message printed when user account is locked.'),
'pam_cert_db_path' : _('Path to certificate databse with PKCS#11 modules.'),
'p11_child_timeout' : _('How many seconds will pam_sss wait for p11_child to finish'),
'sudo_timed' : _('Whether to evaluate the time-based attributes in sudo rules'),
'sudo_inverse_order' : _('If true, SSSD will switch back to lower-wins ordering logic'),
'autofs_negative_timeout' : _('Negative cache timeout length (seconds)'),
'ssh_hash_known_hosts': _('Whether to hash host names and addresses in the known_hosts file'),
'ssh_known_hosts_timeout': _('How many seconds to keep a host in the known_hosts file after its host keys were requested'),
'ca_db': _('Path to storage of trusted CA certificates'),
'allowed_uids': _('List of UIDs or user names allowed to access the PAC responder'),
'pac_lifetime': _('How long the PAC data is considered valid'),
'allowed_uids': _('List of UIDs or user names allowed to access the InfoPipe responder'),
'user_attributes': _('List of user attributes the InfoPipe is allowed to publish'),
'id_provider' : _('Identity provider'),
'auth_provider' : _('Authentication provider'),
'access_provider' : _('Access control provider'),
'chpass_provider' : _('Password change provider'),
'sudo_provider' : _('SUDO provider'),
'autofs_provider' : _('Autofs provider'),
'hostid_provider' : _('Host identity provider'),
'selinux_provider' : _('SELinux provider'),
'min_id' : _('Minimum user ID'),
'max_id' : _('Maximum user ID'),
'cache_credentials' : _('Cache credentials for offline login'),
'store_legacy_passwords' : _('Store password hashes'),
'use_fully_qualified_names' : _('Display
users/groups in fully-qualified form'),
'ignore_group_members' : _('Don\'t include group members in group lookups'),
'entry_cache_timeout' : _('Entry cache timeout length (seconds)'),
'lookup_family_order' : _('Restrict or prefer a specific address family when performing DNS lookups'),
'account_cache_expiration' : _('How long to keep cached entries after last successful login (days)'),
'dns_resolver_timeout' : _('How long to wait for replies from DNS when resolving servers (seconds)'),
'dns_discovery_domain' : _('The domain part of service discovery DNS query'),
'override_gid' : _('Override GID value from the identity provider with this value'),
'case_sensitive' : _('Treat usernames as case sensitive'),
'entry_cache_user_timeout' : _('Entry cache timeout length (seconds)'),
'entry_cache_group_timeout' : _('Entry cache timeout length (seconds)'),
'entry_cache_netgroup_timeout' : _('Entry cache timeout length (seconds)'),
'entry_cache_service_timeout' : _('Entry cache timeout length (seconds)'),
'entry_cache_autofs_timeout' : _('Entry cache timeout length (seconds)'),
'entry_cache_sudo_timeout' : _('Entry cache timeout length (seconds)'),
'refresh_expired_interval' : _('How often should expired entries be refreshed in background'),
'dyndns_update' : _("Whether to automatically update the client's DNS entry"),
'dyndns_ttl' : _("The TTL to apply to the client's DNS entry after updating it"),
'dyndns_iface' : _("The interface whose IP should be used for dynamic DNS updates"),
'dyndns_refresh_interval' : _("How often to periodically update the client's DNS entry"),
'dyndns_update_ptr' : _("Whether the provider should explicitly update the PTR record as well"),
'dyndns_force_tcp' : _("Whether the nsupdate utility should default to using TCP"),
'dyndns_auth' : _("What kind of authentication should be used to perform the DNS update"),
'dyndns_server' : _("Override the DNS server used to perform the DNS update"),
'subdomain_enumerate' : _('Control enumeration of trusted domains'),
'subdomain_refresh_interval' : _('How often should subdomains list be refreshed'),
'subdomain_inherit' : _('List of options that should be inherited into a subdomain'),
'cached_auth_timeout' : _('How long can cached credentials be used for cached authentication'),
'full_name_format' : _('Printf-compatible format for displaying fully-qualified names'),
're_expression' : _('Regex to parse username and domain'),
'ipa_domain' : _('IPA domain'),
'ipa_server' : _('IPA server address'),
'ipa_backup_server' : _('Address of backup IPA server'),
'ipa_hostname' : _('IPA client hostname'),
'ipa_dyndns_update' : _("Whether to automatically update the client's DNS entry in FreeIPA"),
'ipa_dyndns_ttl' : _("The TTL to apply to the client's DNS entry after updating it"),
'ipa_dyndns_iface' : _("The interface whose IP should be used for dynamic DNS updates"),
'ipa_hbac_search_base' : _("Search base for HBAC related objects"),
'ipa_hbac_refresh' : _("The amount of time between lookups of the HBAC rules against the IPA server"),
'ipa_selinux_refresh' : _("The amount of time in seconds between lookups of the SELinux maps against the IPA server"),
'ipa_hbac_support_srchost' : _("If set to false, host argument given by PAM will be ignored"),
'ipa_automount_location' : _("The automounter location this IPA client is using"),
'ipa_master_domain_search_base': _("Search base for object containing info about IPA domain"),
'ipa_ranges_search_base': _("Search base for objects containing info about ID ranges"),
'ipa_enable_dns_sites': _("Enable DNS sites - location based service discovery"),
'ipa_views_search_base': _("Search base for view containers"),
'ipa_view_class': _("Objectclass for view containers"),
'ipa_view_name': _("Attribute with the name of the view"),
'ipa_overide_object_class': _("Objectclass for override objects"),
'ipa_anchor_uuid': _("Attribute with the reference to the original object"),
'ipa_user_override_object_class': _("Objectclass for user override objects"),
'ipa_group_override_object_class': _("Objectclass for group override objects"),
'ad_domain' : _('Active Directory domain'),
'ad_enabled_domains' : _('Enabled Active Directory domains'),
'ad_server' : _('Active Directory server address'),
'ad_backup_server' : _('Active Directory backup server address'),
'ad_hostname' : _('Active Directory client hostname'),
'ad_enable_dns_sites' : _('Enable DNS sites - location based service discovery'),
'ad_access_filter' : _('LDAP filter to determine access privileges'),
'ad_enable_gc' : _('Whether to use the Global Catalog for lookups'),
'ad_gpo_access_control' : _('Operation mode for GPO-based access control'),
'ad_gpo_cache_timeout' : _("The amount of time between lookups of the GPO policy files against the AD server"),
'ad_gpo_map_interactive' : _('PAM service names that map to the GPO (Deny)InteractiveLogonRight policy settings'),
'ad_gpo_map_remote_interactive' : _('PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight policy settings'),
'ad_gpo_map_network' : _('PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings'),
'ad_gpo_map_batch' : _('PAM service names that map to the GPO (Deny)BatchLogonRight policy settings'),
'ad_gpo_map_service' : _('PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings'),
'ad_gpo_map_permit' : _('PAM service names for which GPO-based access is always granted'),
'ad_gpo_map_deny' : _('PAM service names for which GPO-based access is always denied'),
'ad_gpo_default_right' : _('Default logon right (or
permit/deny) to use for unmapped PAM service names'),
'ad_site' : _('a particular site to be used by the client'),
'ad_maximum_machine_account_password_age' : _('Maximum age in days before the machine account password should be renewed'),
'ad_machine_account_password_renewal_opts' : _('Option for tuing the machine account renewal task'),
'krb5_kdcip' : _('Kerberos server address'),
'krb5_server' : _('Kerberos server address'),
'krb5_backup_server' : _('Kerberos backup server address'),
'krb5_realm' : _('Kerberos realm'),
'krb5_auth_timeout' : _('Authentication timeout'),
'krb5_use_kdcinfo' : _('Whether to create kdcinfo files'),
'krb5_confd_path' : _('Where to drop krb5 config snippets'),
'krb5_ccachedir' : _('Directory to store credential caches'),
'krb5_ccname_template' : _("Location of the user's credential cache"),
'krb5_keytab' : _("Location of the keytab to validate credentials"),
'krb5_validate' : _("Enable credential validation"),
'krb5_store_password_if_offline' : _("Store password if offline for later online authentication"),
'krb5_renewable_lifetime' : _("Renewable lifetime of the TGT"),
'krb5_lifetime' : _("Lifetime of the TGT"),
'krb5_renew_interval' : _("Time between two checks for renewal"),
'krb5_use_fast' : _("Enables FAST"),
'krb5_fast_principal' : _("Selects the principal to use for FAST"),
'krb5_canonicalize' : _("Enables principal canonicalization"),
'krb5_use_enterprise_principal' : _("Enables enterprise principals"),
'krb5_map_user' : _('A mapping from user names to kerberos principal names'),
'krb5_kpasswd' : _('Server where the change password service is running if not on the KDC'),
'krb5_backup_kpasswd' : _('Server where the change password service is running if not on the KDC'),
'ldap_uri' : _('ldap_uri, The URI of the LDAP server'),
'ldap_backup_uri' : _('ldap_backup_uri, The URI of the LDAP server'),
'ldap_search_base' : _('The default base DN'),
'ldap_schema' : _('The Schema Type in use on the LDAP server, rfc2307'),
'ldap_default_bind_dn' : _('The default bind DN'),
'ldap_default_authtok_type' : _('The type of the authentication token of the default bind DN'),
'ldap_default_authtok' : _('The authentication token of the default bind DN'),
'ldap_network_timeout' : _('Length of time to attempt connection'),
'ldap_opt_timeout' : _('Length of time to attempt synchronous LDAP operations'),
'ldap_offline_timeout' : _('Length of time between attempts to reconnect while offline'),
'ldap_force_upper_case_realm' : _('Use only the upper case for realm names'),
'ldap_tls_cacert' : _('File that contains CA certificates'),
'ldap_tls_cacertdir' : _('Path to CA certificate directory'),
'ldap_tls_cert' : _('File that contains the client certificate'),
'ldap_tls_key' :_('File that contains the client key'),
'ldap_tls_cipher_suite' :_('List of possible ciphers suites'),
'ldap_tls_reqcert' : _('Require TLS certificate verification'),
'ldap_sasl_mech' : _('Specify the sasl mechanism to use'),
'ldap_sasl_authid' : _('Specify the sasl authorization id to use'),
'ldap_sasl_realm' : _('Specify the sasl authorization realm to use'),
'ldap_sasl_minssf' : _('Specify the minimal SSF for LDAP sasl authorization'),
'ldap_krb5_keytab' : _('Kerberos service keytab'),
'ldap_krb5_init_creds' : _('Use Kerberos auth for LDAP connection'),
'ldap_referrals' : _('Follow LDAP referrals'),
'ldap_krb5_ticket_lifetime' : _('Lifetime of TGT for LDAP connection'),
'ldap_deref' : _('How to dereference aliases'),
'ldap_dns_service_name' : _('Service name for DNS service lookups'),
'ldap_page_size' : _('The number of records to retrieve in a single LDAP query'),
'ldap_deref_threshold' : _('The number of members that must be missing to trigger a full deref'),
'ldap_sasl_canonicalize' : _('Whether the LDAP library should perform a reverse lookup to canonicalize the host name during a SASL bind'),
'ldap_entry_usn' : _('entryUSN attribute'),
'ldap_rootdse_last_usn' : _('lastUSN attribute'),
'ldap_connection_expiration_timeout' : _('How long to retain a connection to the LDAP server before disconnecting'),
'ldap_disable_paging' : _('Disable the LDAP paging control'),
'ldap_disable_range_retrieval' : _('Disable Active Directory range retrieval'),
'ldap_search_timeout' : _('Length of time to wait for a search request'),
'ldap_enumeration_search_timeout' : _('Length of time to wait for a enumeration request'),
'ldap_enumeration_refresh_timeout' : _('Length of time between enumeration updates'),
'ldap_purge_cache_timeout' : _('Length of time between cache cleanups'),
'ldap_id_use_start_tls' : _('Require TLS for ID lookups'),
'ldap_id_mapping' : _('Use ID-mapping of objectSID instead of pre-set IDs'),
'ldap_user_search_base' : _('Base DN for user lookups'),
'ldap_user_search_scope' : _('Scope of user lookups'),
'ldap_user_search_filter' : _('Filter for user lookups'),
'ldap_user_object_class' : _('Objectclass for users'),
'ldap_user_name' : _('Username attribute'),
#not used # 'ldap_user_pwd' :_('Password attribute'),
'ldap_user_uid_number' : _('UID attribute'),
'ldap_user_gid_number' : _('Primary GID attribute'),
'ldap_user_gecos' : _('GECOS attribute'),
'ldap_user_home_directory' : _('Home directory attribute'),
'ldap_user_shell' : _('Shell attribute'),
'ldap_user_uuid' : _('UUID attribute'),
'ldap_user_objectsid' : _("objectSID attribute"),
'ldap_user_primary_group' : _('Active Directory primary group attribute for ID-mapping'),
'ldap_user_principal' : _('User principal attribute (for Kerberos)'),
'ldap_user_fullname' : _('Full Name'),
'ldap_user_member_of' : _('memberOf attribute'),
'ldap_user_modify_timestamp' : _('Modification time attribute'),
#replaced by ldap_entry_usn# 'ldap_user_entry_usn' : _('entryUSN attribute'),
'ldap_user_shadow_last_change' : _('shadowLastChange attribute'),
'ldap_user_shadow_min' : _('shadowMin attribute'),
'ldap_user_shadow_max' : _('shadowMax attribute'),
'ldap_user_shadow_warning' : _('shadowWarning attribute'),
'ldap_user_shadow_inactive' : _('shadowInactive attribute'),
'ldap_user_shadow_expire' : _('shadowExpire attribute'),
'ldap_user_shadow_flag' : _('shadowFlag attribute'),
'ldap_user_authorized_service' : _('Attribute listing authorized PAM services'),
'ldap_user_authorized_host' : _('Attribute listing authorized server hosts'),
'ldap_user_krb_last_pwd_change' : _('krbLastPwdChange attribute'),
'ldap_user_krb_password_expiration' : _('krbPasswordExpiration attribute'),
'ldap_pwd_attribute' : _('Attribute indicating that server side password policies are active'),
'ldap_user_ad_account_expires' : _('accountExpires attribute of AD'),
'ldap_user_ad_user_account_control' : _('userAccountControl attribute of AD'),
'ldap_ns_account_lock' : _('nsAccountLock attribute'),
'ldap_user_nds_login_disabled' : _('loginDisabled attribute of NDS'),
'ldap_user_nds_login_expiration_time' : _('loginExpirationTime attribute of NDS'),
'ldap_user_nds_login_allowed_time_map' : _('loginAllowedTimeMap attribute of NDS'),
'ldap_user_ssh_public_key' : _('SSH public key attribute'),
'ldap_user_auth_type' : _('attribute listing allowed authentication types for a user'),
'ldap_user_certificate' : _('attribute containing the X509 certificate of the user'),
'ldap_user_email' : _('attribute containing the email address of the user'),
'ldap_user_extra_attrs' : _('A list of extra attributes to download along with the user entry'),
'ldap_group_search_base' : _('Base DN for group lookups'),
# not used # 'ldap_group_search_scope' : _('Scope of group lookups'),
# not used # 'ldap_group_search_filter' : _('Filter for group lookups'),
'ldap_group_object_class' : _('Objectclass for groups'),
'ldap_group_name' : _('Group name'),
'ldap_group_pwd' : _('Group password'),
'ldap_group_gid_number' : _('GID attribute'),
'ldap_group_member' : _('Group member attribute'),
'ldap_group_uuid' : _('Group UUID attribute'),
'ldap_group_objectsid' : _("objectSID attribute"),
'ldap_group_modify_timestamp' : _('Modification time attribute for groups'),
'ldap_group_type' : _('Type of the group and other flags'),
'ldap_group_external_member' : _('The LDAP group external member attribute'),
#replaced by ldap_entry_usn# 'ldap_group_entry_usn' : _('entryUSN attribute'),
'ldap_group_nesting_level' : _('Maximum nesting level SSSd will follow'),
'ldap_netgroup_search_base' : _('Base DN for netgroup lookups'),
'ldap_netgroup_object_class' : _('Objectclass for netgroups'),
'ldap_netgroup_name' : _('Netgroup name'),
'ldap_netgroup_member' : _('Netgroups members attribute'),
'ldap_netgroup_triple' : _('Netgroup triple attribute'),
'ldap_netgroup_modify_timestamp' : _('Modification time attribute for netgroups'),
'ldap_service_search_base' : _('Base DN for service lookups'),
'ldap_service_object_class' : _('Objectclass for services'),
'ldap_service_name' : _('Service name attribute'),
'ldap_service_port' : _('Service port attribute'),
'ldap_service_proto' : _('Service protocol attribute'),
#replaced by ldap_entry_usn# 'ldap_service_entry_usn' : _('Service entryUSN attribute'),
'ldap_idmap_range_min' : _('Lower bound for ID-mapping'),
'ldap_idmap_range_max' : _('Upper bound for ID-mapping'),
'ldap_idmap_range_size' : _('Number of IDs for each slice when ID-mapping'),
'ldap_idmap_autorid_compat' : _('Use autorid-compatible algorithm for ID-mapping'),
'ldap_idmap_default_domain' : _('Name of the default domain for ID-mapping'),
'ldap_idmap_default_domain_sid' : _('SID of the default domain for ID-mapping'),
'ldap_idmap_helper_table_size' : _('Number of secondary slices'),
'ldap_groups_use_matching_rule_in_chain' : _('Use LDAP_MATCHING_RULE_IN_CHAIN for group lookups'),
'ldap_initgroups_use_matching_rule_in_chain' : _('Use LDAP_MATCHING_RULE_IN_CHAIN for initgroup lookups'),
'ldap_use_tokengroups' : _('Whether to use Token-Groups'),
'ldap_min_id' : _('Set lower boundary for allowed IDs from the LDAP server'),
'ldap_max_id' : _('Set upper boundary for allowed IDs from the LDAP server'),
'ldap_pwdlockout_dn' : _('DN for ppolicy queries'),
'wildcard_limit' : _('How many maximum entries to fetch during a wildcard request'),
'ldap_pwd_policy' : _('Policy to evaluate the password expiration'),
'ldap_access_filter' : _('LDAP filter to determine access privileges'),
'ldap_account_expire_policy' : _('Which attributes shall be used to evaluate if an account is expired'),
'ldap_access_order' : _('Which rules should be used to evaluate access control'),
'ldap_chpass_uri' : _('URI of an LDAP server where password changes are allowed'),
'ldap_chpass_backup_uri' : _('URI of a backup LDAP server where password changes are allowed'),
'ldap_chpass_dns_service_name' : _('DNS service name for LDAP password change server'),
'ldap_chpass_update_last_change' : _('Whether to update the ldap_user_shadow_last_change attribute after a password change'),
'ldap_sudo_search_base' : _('Base DN for sudo rules lookups'),
'ldap_sudo_full_refresh_interval' : _('Automatic full refresh period'),
'ldap_sudo_smart_refresh_interval' : _('Automatic smart refresh period'),
'ldap_sudo_use_host_filter' : _('Whether to filter rules by hostname, IP addresses and network'),
'ldap_sudo_hostnames' : _('Hostnames
and/or fully qualified domain names of this machine to filter sudo rules'),
'ldap_sudo_ip' : _('IPv4 or IPv6 addresses or network of this machine to filter sudo rules'),
'ldap_sudo_include_netgroups' : _('Whether to include rules that contains netgroup in host attribute'),
'ldap_sudo_include_regexp' : _('Whether to include rules that contains regular expression in host attribute'),
'ldap_sudorule_object_class' : _('Object class for sudo rules'),
'ldap_sudorule_name' : _('Sudo rule name'),
'ldap_sudorule_command' : _('Sudo rule command attribute'),
'ldap_sudorule_host' : _('Sudo rule host attribute'),
'ldap_sudorule_user' : _('Sudo rule user attribute'),
'ldap_sudorule_option' : _('Sudo rule option attribute'),
'ldap_sudorule_runas' : _('Sudo rule runas attribute'),
'ldap_sudorule_runasuser' : _('Sudo rule runasuser attribute'),
'ldap_sudorule_runasgroup' : _('Sudo rule runasgroup attribute'),
'ldap_sudorule_notbefore' : _('Sudo rule notbefore attribute'),
'ldap_sudorule_notafter' : _('Sudo rule notafter attribute'),
'ldap_sudorule_order' : _('Sudo rule order attribute'),
'ldap_autofs_map_object_class' : _('Object class for automounter maps'),
'ldap_autofs_map_name' : _('Automounter map name attribute'),
'ldap_autofs_entry_object_class' : _('Object class for automounter map entries'),
'ldap_autofs_entry_key' : _('Automounter map entry key attribute'),
'ldap_autofs_entry_value' : _('Automounter map entry value attribute'),
'ldap_autofs_search_base' : _('Base DN for automounter map lookups'),
'simple_allow_users' : _('Comma separated list of allowed users'),
'simple_deny_users' : _('Comma separated list of prohibited users'),
'default_shell' : _('Default shell,
/bin/bash'),
'base_directory' : _('Base for home directories'),
'proxy_max_children' : _('The number of preforked proxy children.'),
'proxy_lib_name' : _('The name of the NSS library to use'),
'proxy_fast_alias' : _('Whether to look up canonical group name from cache if possible'),
'proxy_pam_target' : _('PAM stack to use')
def options_overlap(options1, options2):
class SSSDConfigSchema(SSSDChangeConf):
def __init__(self, schemafile, schemaplugindir):
SSSDChangeConf.__init__(self)
#TODO: get these from a global setting
#Read the primary config file
fd = open(schemafile, 'r')
# Read in the provider files
for file in filter(lambda f:
re.search('^sssd-.*\.conf$', f),
fd = open(schemaplugindir+ "/" + file)
except SyntaxError: # can be raised with readfp
# Set up lookup table for types
# Lookup table for acceptable boolean values
def get_options(self, section):
unparsed_option = option['value']
optionlen = len(split_option)
if option['name'] in option_strings:
desc = option_strings[option['name']]
# This option has no defaults
parsed_options[option['name']] = \
if type(split_option[DEFAULT]) == primarytype:
parsed_options[option['name']] = \
elif primarytype == list:
if (type(split_option[DEFAULT]) == subtype):
parsed_options[option['name']] = \
type(split_option[DEFAULT]) == str:
parsed_options[option['name']] = \
parsed_options[option['name']] = \
[subtype(split_option[DEFAULT])])
if primarytype == bool and \
type(split_option[DEFAULT]) == str:
parsed_options[option['name']] = \
parsed_options[option['name']] = \
primarytype(split_option[DEFAULT]))
if (primarytype != list):
for x in split_option[DEFAULT:]:
if (subtype == bool and type(x) == str):
parsed_options[option['name']] = \
def get_option(self, section, option):
raise NoSectionError(section)
raise NoOptionError("Section [%s] has no option [%s]" %
def get_defaults(self, section):
raise NoSectionError(section)
defaults = dict([(x,schema_options[x][4])
if schema_options[x][4] != None])
if x['name'] != 'service' and
not x['name'].startswith('domain') and
not x['name'].startswith('provider')]
splitsection = section['name'].split('/')
if (splitsection[0] == 'provider'):
if(len(splitsection) == 3):
if splitsection[1] not in providers:
providers[splitsection[1]] = []
providers[splitsection[1]].extend([splitsection[2]])
providers[key] = tuple(providers[key])
class SSSDConfigObject(object):
Return the name of the this object
def get_option(self, optionname):
Return the value of an service option
The value for the requested option.
The specified option was not listed in the service
raise NoOptionError(optionname)
def get_all_options(self):
Return a dictionary of
name/value pairs for this object
A dictionary of
name/value pairs currently in use for this object
def remove_option(self, optionname):
Remove an option from the object. If the option does not exist, it is ignored.
class SSSDService(SSSDConfigObject):
Object to manipulate SSSD service options
def __init__(self, servicename, apischema):
Create a new SSSDService, setting its defaults to those found in the
schema. This constructor should not be used directly. Use
An SSSDConfigSchema? object created by SSSDConfig.__init__()
The newly-created SSSDService object.
The API schema passed in was unusable or the name was not a string.
ServiceNotRecognizedError:
The service was not listed in the schema
SSSDConfigObject.__init__(self)
if not isinstance(apischema, SSSDConfigSchema) or type(servicename) != str:
raise ServiceNotRecognizedError(servicename)
# Set up the service object with any known defaults
# Include a list of hidden options
# Set up default options for all services
# Set up default options for this service
def list_options_with_mandatory(self):
List options for the service, including the mandatory flag.
A dictionary of configurable options. This dictionary is keyed on the
option name with a tuple of the variable type, subtype ('None' if the
type is not a collection type), whether it is mandatory, the
translated option description, and the default value (or 'None') as
(bool, None, False, u'Enable enumerating all
users/groups', True) }
# Get the list of available options for all services
List all options that apply to this service
A dictionary of configurable options. This dictionary is keyed on the
option name with a tuple of the variable type, subtype ('None' if the
type is not a collection type), the translated option description, and
the default value (or 'None') as the value.
(list, str, u'SSSD Services to start', ['nss', 'pam']) }
# Filter out the mandatory field to maintain compatibility
# with older versions of the API
filtered_options[key] = (options[key][0], options[key][1], options[key][3], options[key][4])
def list_mandatory_options(self):
List all mandatory options that apply to this service
A dictionary of configurable options. This dictionary is keyed on the
option name with a tuple of the variable type, subtype ('None' if the
type is not a collection type), the translated option description, and
the default value (or 'None') as the value.
(list, str, u'SSSD Services to start', ['nss', 'pam']) }
# Filter out the mandatory field to maintain compatibility
# with older versions of the API
filtered_options[key] = (options[key][0], options[key][1], options[key][3], options[key][4])
def set_option(self, optionname, value):
Set a service option to the specified value (or values)
The value to set. This may be a single value or a list of values. If
it is set to None, it resets the option to its default.
The specified option is not listed in the schema
The value specified was not of the expected type
# Set this option and do not add it to the list of changeable values
raise NoOptionError('Section [%s] has no option [%s]' % (
self.name, optionname))
# If we were expecting a list and didn't get one,
# Create a list with a single entry. If it's the
# wrong subtype, it will fail below
if option_schema[0] == list and type(value) != list:
if type(value) != option_schema[0]:
# If it's possible to convert it, do so
if option_schema[0] == bool and \
value = option_schema[0](value)
raise TypeError('Expected %s for %s, received %s' %
(option_schema[0], optionname, type(value)))
# Iterate through the list an ensure that all members
# are of the appropriate subtype
if option_schema[1] == bool and \
raise TypeError('Expected %s' % option_schema[1])
class SSSDDomain(SSSDConfigObject):
Object to manipulate SSSD domain options
def __init__(self, domainname, apischema):
Creates a new, empty SSSDDomain. This domain is inactive by default.
This constructor should not be used directly. Use
An SSSDConfigSchema object created by SSSDConfig.__init__()
The newly-created SSSDDomain object.
apischema was not an SSSDConfigSchema object or domainname was not
SSSDConfigObject.__init__(self)
if not isinstance(apischema, SSSDConfigSchema) or type(domainname) != str:
# Set up the domain object with any known defaults
# Set up default options for all domains
def set_active(self, active):
Enable or disable this domain
Boolean value. If True, this domain will be added to the active
domains list when it is saved. If False, it will be removed from the
active domains list when it is saved.
def list_options_with_mandatory(self):
List options for the currently-configured providers, including the
A dictionary of configurable options. This dictionary is keyed on the
option name with a tuple of the variable type, subtype ('None' if the
type is not a collection type), whether it is mandatory, the
translated option description, and the default value (or 'None') as
(bool, None, False, u'Enable enumerating all
users/groups', True) }
# Get the list of available options for all domains
# Candidate for future optimization: will update primary type
% (provider, providertype))
List options available for the currently-configured providers.
A dictionary of configurable options. This dictionary is keyed on the
option name with a tuple of the variable type, subtype ('None' if the
type is not a collection type), the translated option description, and
the default value (or 'None') as the value.
(bool, None, u'Enable enumerating all
users/groups', True) }
# Filter out the mandatory field to maintain compatibility
# with older versions of the API
filtered_options[key] = (options[key][0], options[key][1], options[key][3], options[key][4])
def list_mandatory_options(self):
List mandatory options for the currently-configured providers.
A dictionary of configurable options. This dictionary is keyed on the
option name with a tuple of the variable type, subtype ('None' if the
type is not a collection type), the translated option description, and
the default value (or 'None') as the value.
(bool, None, u'Enable enumerating all
users/groups', True) }
# Filter out the mandatory field to maintain compatibility
# with older versions of the API
filtered_options[key] = (options[key][0], options[key][1], options[key][3], options[key][4])
def list_provider_options(self, provider, provider_type=None):
If provider_type is specified, list all options applicable to that
target, otherwise list all possible options available for a provider.
Provider backend type. (
e.g. local, ldap, krb5, etc.)
Subtype of the backend type. (
e.g. id, auth, access, chpass)
A dictionary of configurable options for the specified provider type.
This dictionary is keyed on the option name with a tuple of the
variable type, subtype ('None' if the type is not a collection type),
the translated option description, and the default value (or 'None')
The specified provider is not listed in the schema or plugins
NoSuchProviderSubtypeError:
The specified provider subtype is not listed in the schema
(provider, provider_type)))
# Add options from all provider subtypes
for provider_type in known_providers[provider]:
def list_providers(self):
Return a dictionary of providers.
Returns a dictionary of providers, keyed on the primary type, with the
value being a tuple of the subtypes it supports.
{ 'ldap' : ('id', 'auth', 'chpass') }
def set_option(self, option, value):
Set a domain option to the specified value (or values)
The value to set. This may be a single value or a list of values.
If it is set to None, it resets the option to its default.
The specified option is not listed in the schema
The value specified was not of the expected type
raise NoOptionError('Section [%s] has no option [%s]' %
option_schema = options[option]
# If we were expecting a list and didn't get one,
# Create a list with a single entry. If it's the
# wrong subtype, it will fail below
if option_schema[0] == list and type(value) != list:
if type(value) != option_schema[0]:
# If it's possible to convert it, do so
if option_schema[0] == bool and \
elif option_schema[0] == int and type(value) == str:
# Make sure we handle any reasonable base
value = option_schema[0](value)
raise TypeError('Expected %s for %s, received %s' %
(option_schema[0], option, type(value)))
# Iterate through the list an ensure that all members
# are of the appropriate subtype
if option_schema[1] == bool and \
raise TypeError('Expected %s' % option_schema[1])
# Check whether we're adding a provider entry.
provider = option[:is_provider]
except NoSuchProviderError:
def set_name(self, newname):
Change the name of the domain
# Only set the oldname once
def add_provider(self, provider, provider_type):
Add a new provider type to the domain
Provider backend type. (
e.g. local, ldap, krb5, etc.)
Subtype of the backend type. (
e.g. id, auth, chpass)
Another backend is already providing this subtype
The specified provider is not listed in the schema or plugins
NoSuchProviderSubtypeError:
The specified provider subtype is not listed in the schema
# Check that provider and provider_type are valid
if provider_type not in configured_providers[provider]:
raise NoSuchProviderSubtypeError(provider_type)
raise NoSuchProviderError
# Don't add a provider twice
if len(with_this_type) > 1:
# This should never happen!
raise ProviderSubtypeInUse
if len(with_this_type) == 1:
if with_this_type[0][0] != provider:
raise ProviderSubtypeInUse(with_this_type[0][0])
option_name = '%s_provider' % provider_type
# Add defaults for this provider
def remove_provider(self, provider_type):
Remove a provider from the domain. If the provider is not present, it
Subtype of the backend type. (
e.g. id, auth, chpass)
if ptype == provider_type:
# Check whether the provider_type was found
# Remove any unused options when removing the provider.
# Trim any options that are used by other providers,
# if that provider is in use
# Ignore the one being removed
if (prov, ptype) == (provider, provider_type):
# We should now have a list of options used only by this
# provider. So we remove them.
# Remove this provider from the option list
option = '%s_provider' % provider_type
class SSSDConfig(SSSDChangeConf):
Primary class for operating on SSSD configurations
def __init__(self, schemafile=None, schemaplugindir=None):
Initialize the SSSD config
parser/editor. This constructor does not
open or create a config file. If the schemafile and schemaplugindir
are not passed, it will use the system defaults.
The path to the api schema config file. Usually
The path the directory containing the provider schema config files.
The newly-created SSSDConfig object.
Exception raised when the schema file could not be opened for
The main schema file or one of those in the plugin directory could
SSSDChangeConf.__init__(self)
self.schema = SSSDConfigSchema(schemafile, schemaplugindir)
def import_config(self,configfile=None):
Read in a config file, populating all of the service and domain
objects with the read values.
The path to the SSSD config file. If not specified, use the system
Exception raised when the file could not be opened for reading
Exception raised when errors occur attempting to parse a file.
This SSSDConfig object was already initialized by a call to
import_config() or new_config()
raise AlreadyInitializedError
#TODO: get this from a global setting
# open will raise an IOError if it fails
fd = open(configfile, 'r')
raise ParsingError("Wrong config_file_version")
# This happens when config_file_version is missing. We
# can assume it is the default version and continue.
Initialize the SSSDConfig object with the defaults from the schema.
This SSSDConfig object was already initialized by a call to
import_config() or new_config()
raise AlreadyInitializedError
def write(self, outputfile=None):
Write out the configuration to a file.
The path to write the new config file. If it is not specified, it
will use the path specified by the import() call.
Exception raised when the file could not be opened for writing
This SSSDConfig object has not had import_config() or new_config()
No outputfile was specified and this SSSDConfig object was not
raise NotInitializedError
# open() will raise IOError if it fails
of = open(outputfile, "wb")
def list_active_services(self):
Return a list of all active services.
The list of active services.
This SSSDConfig object has not had import_config() or new_config()
raise NotInitializedError
active_services = striplist(
self.get('sssd', 'services').split(','))
# Remove any entries in this list that don't
# correspond to an active service, for integrity
for srv in list(service_dict):
if srv not in configured_services:
active_services = list(service_dict)
def list_inactive_services(self):
Return a list of all disabled services.
The list of inactive services.
This SSSDConfig object has not had import_config() or new_config()
raise NotInitializedError
active_services = striplist(
self.get('sssd', 'services').split(','))
if x not in active_services]
Retrieve a list of known services.
The list of known services.
This SSSDConfig object has not had import_config() or new_config()
raise NotInitializedError
if not x['name'].startswith('domain') ]
def get_service(self, name):
Get an SSSDService object to edit a service.
The name of the service to return.
An SSSDService instance containing the current state of a service in
There is no such service with the specified name in the SSSDConfig.
This SSSDConfig object has not had import_config() or new_config()
raise NotInitializedError
# If we come across an option that we don't recognize,
# we should just ignore it and continue
def new_service(self, name):
Create a new service from the defaults and return the SSSDService
object for it. This function will also add this service to the list of
active services in the [SSSD] section.
The name of the service to create and return.
The newly-created SSSDService object
ServiceNotRecognizedError:
There is no such service in the schema.
ServiceAlreadyExistsError:
The service being created already exists in the SSSDConfig object.
This SSSDConfig object has not had import_config() or new_config()
raise NotInitializedError
raise ServiceAlreadyExists(name)
def activate_service(self, name):
The name of the service to activate
This SSSDConfig object has not had import_config() or new_config()
There is no such service with the specified name in the SSSDConfig.
raise NotInitializedError
# Turn the items into a set of dictionary keys
# This guarantees uniqueness and makes it easy
service_dict =
dict.fromkeys(striplist(item['value'].split(',')))
# Add a new key for the service being activated
service_dict[name] = None
# Write out the joined keys
def deactivate_service(self, name):
The name of the service to deactivate
This SSSDConfig object has not had import_config() or new_config()
There is no such service with the specified name in the SSSDConfig.
raise NotInitializedError
# Turn the items into a set of dictionary keys
# This guarantees uniqueness and makes it easy
# to remove the one unwanted value.
service_dict =
dict.fromkeys(striplist(item['value'].split(',')))
# Remove the unwanted service from the lest
# Write out the joined keys
def delete_service(self, name):
Remove a service from the SSSDConfig object. This function will also
remove this service from the list of active services in the [SSSD]
section. Has no effect if the service does not exist.
This SSSDConfig object has not had import_config() or new_config()
raise NotInitializedError
def save_service(self, service):
Save the changes made to the service object back to the SSSDConfig
The SSSDService object to save to the configuration.
This SSSDConfig object has not had import_config() or new_config()
service_object was not of the type SSSDService
raise NotInitializedError
if not isinstance(service, SSSDService):
# Ensure that the existing section is removed
# This way we ensure that we are getting a
# complete copy of the service.
# delete_option() is a noop if the section
if (type(value) == list):
def list_active_domains(self):
Return a list of all active domains.
The list of configured, active domains.
This SSSDConfig object has not had import_config() or new_config()
raise NotInitializedError
active_domains = striplist(
self.get('sssd', 'domains').split(','))
# Remove any entries in this list that don't
# correspond to an active domain, for integrity
for dom in list(domain_dict):
if dom not in configured_domains:
active_domains = list(domain_dict)
def list_inactive_domains(self):
Return a list of all configured, but disabled domains.
The list of configured, inactive domains.
This SSSDConfig object has not had import_config() or new_config()
raise NotInitializedError
active_domains = striplist(
self.get('sssd', 'domains').split(','))
if x not in active_domains]
Return a list of all configured domains, including inactive domains.
The list of configured domains, both active and inactive.
This SSSDConfig object has not had import_config() or new_config()
raise NotInitializedError
domains = [x['name'][7:] for x in
self.sections() if x['name'].startswith('domain/')]
def get_domain(self, name):
Get an SSSDDomain object to edit a domain.
The name of the domain to return.
An SSSDDomain instance containing the current state of a domain in the
There is no such domain with the specified name in the SSSDConfig.
This SSSDConfig object has not had import_config() or new_config()
raise NotInitializedError
raise NoDomainError(name)
# Read in the providers first or we may have type
# errors trying to read in their options
if x['name'].rfind('_provider') > 0]
for (option, value) in providers:
# If we come across an option that we don't recognize,
# we should just ignore it and continue
# Read in all the options from the configuration
if (opt['name'], opt['value']) not in providers:
# If we come across an option that we don't recognize,
# we should just ignore it and continue
# Determine if this domain is currently active
def new_domain(self, name):
Create a new, empty domain and return the SSSDDomain object for it.
The name of the domain to create and return.
The newly-created SSSDDomain object
DomainAlreadyExistsError:
The service being created already exists in the SSSDConfig object.
This SSSDConfig object has not had import_config() or new_config()
raise NotInitializedError
raise DomainAlreadyExistsError
def is_domain_active(self, name):
Is a particular domain set active
The name of the configured domain to check
True if the domain is active, False if it is inactive
This SSSDConfig object has not had import_config() or new_config()
No domain by this name is configured
raise NotInitializedError
def activate_domain(self, name):
Activate a configured domain
The name of the configured domain to activate
This SSSDConfig object has not had import_config() or new_config()
No domain by this name is configured
raise NotInitializedError
# Turn the items into a set of dictionary keys
# This guarantees uniqueness and makes it easy
# Add a new key for the domain being activated
# Write out the joined keys
def deactivate_domain(self, name):
Deactivate a configured domain
The name of the configured domain to deactivate
This SSSDConfig object has not had import_config() or new_config()
No domain by this name is configured
raise NotInitializedError
# Turn the items into a set of dictionary keys
# This guarantees uniqueness and makes it easy
# to remove the one unwanted value.
# Remove the unwanted domain from the lest
# Write out the joined keys
def delete_domain(self, name):
Remove a domain from the SSSDConfig object. This function will also
remove this domain from the list of active domains in the [SSSD]
This SSSDConfig object has not had import_config() or new_config()
raise NotInitializedError
# Remove the domain from the active domains list if applicable
def save_domain(self, domain):
Save the changes made to the domain object back to the SSSDConfig
object. If this domain is marked active, ensure it is present in the
active domain list in the [SSSD] section
The SSSDDomain object to save to the configuration.
This SSSDConfig object has not had import_config() or new_config()
domain_object was not of type SSSDDomain
raise NotInitializedError
if not isinstance(domain, SSSDDomain):
# We are renaming this domain
# Reset the oldname, in case we're not done with
sectionname = 'domain/%s' % name
if option['type'] == 'option':
if (type(value) == list):
self.set(sectionname, option, str(value))