1
# SOME DESCRIPTIVE TITLE
2
# Copyright (C) YEAR Red Hat
3
# This file is distributed under the same license as the sssd-docs package.
7
"Project-Id-Version: SSSD\n"
8
"Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
9
"POT-Creation-Date: 2011-05-27 16:03-0300\n"
10
"PO-Revision-Date: 2011-05-27 19:58+0000\n"
11
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
12
"Language-Team: Greek <trans-el@lists.fedoraproject.org>\n"
15
"Content-Type: text/plain; charset=UTF-8\n"
16
"Content-Transfer-Encoding: 8bit\n"
17
"Plural-Forms: nplurals=2; plural=(n != 1)\n"
19
#. type: Content of: <reference><title>
20
#: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5
21
#: sssd_krb5_locator_plugin.8.xml:5 sssd-simple.5.xml:5 sssd-ipa.5.xml:5
22
#: sssd.8.xml:5 sss_obfuscate.8.xml:5 sss_useradd.8.xml:5 sssd-krb5.5.xml:5
23
#: sss_groupadd.8.xml:5 sss_userdel.8.xml:5 sss_groupdel.8.xml:5
24
#: sss_groupshow.8.xml:5 sss_usermod.8.xml:5
25
msgid "SSSD Manual pages"
28
#. type: Content of: <reference><refentry><refnamediv><refname>
29
#: sss_groupmod.8.xml:10 sss_groupmod.8.xml:15
33
#. type: Content of: <reference><refentry><refmeta><manvolnum>
34
#: sss_groupmod.8.xml:11 pam_sss.8.xml:14 sssd_krb5_locator_plugin.8.xml:11
35
#: sssd.8.xml:11 sss_obfuscate.8.xml:11 sss_useradd.8.xml:11
36
#: sss_groupadd.8.xml:11 sss_userdel.8.xml:11 sss_groupdel.8.xml:11
37
#: sss_groupshow.8.xml:11 sss_usermod.8.xml:11
41
#. type: Content of: <reference><refentry><refnamediv><refpurpose>
42
#: sss_groupmod.8.xml:16
43
msgid "modify a group"
46
#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
47
#: sss_groupmod.8.xml:21
49
"<command>sss_groupmod</command> <arg choice='opt'> <replaceable>options</"
50
"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></"
54
#. type: Content of: <reference><refentry><refsect1><title>
55
#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
56
#: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
57
#: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
58
#: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
59
#: sss_groupdel.8.xml:30 sss_groupshow.8.xml:30 sss_usermod.8.xml:30
63
#. type: Content of: <reference><refentry><refsect1><para>
64
#: sss_groupmod.8.xml:32
66
"<command>sss_groupmod</command> modifies the group to reflect the changes "
67
"that are specified on the command line."
70
#. type: Content of: <reference><refentry><refsect1><title>
71
#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
72
#: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
73
#: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
77
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
78
#: sss_groupmod.8.xml:43 sss_usermod.8.xml:77
80
"<option>-a</option>,<option>--append-group</option> <replaceable>GROUPS</"
84
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
85
#: sss_groupmod.8.xml:48
87
"Append this group to groups specified by the <replaceable>GROUPS</"
88
"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is "
89
"a comma separated list of group names."
92
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
93
#: sss_groupmod.8.xml:57 sss_usermod.8.xml:91
95
"<option>-r</option>,<option>--remove-group</option> <replaceable>GROUPS</"
99
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
100
#: sss_groupmod.8.xml:62
102
"Remove this group from groups specified by the <replaceable>GROUPS</"
103
"replaceable> parameter."
106
#. type: Content of: <reference><refentry><refsect1><title>
107
#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1008 sssd-ldap.5.xml:1418
108
#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
109
#: sssd-ipa.5.xml:206 sssd.8.xml:166 sss_obfuscate.8.xml:103
110
#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
111
#: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
112
#: sss_usermod.8.xml:138
116
#. type: Content of: <reference><refentry><refsect1><para>
117
#: sss_groupmod.8.xml:74
119
"<citerefentry> <refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</"
120
"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupadd</"
121
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
122
"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </"
123
"citerefentry>, <citerefentry> <refentrytitle>sss_useradd</"
124
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
125
"<refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> </"
126
"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
127
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
130
#. type: Content of: <reference><refentry><refnamediv><refname>
131
#: sssd.conf.5.xml:10 sssd.conf.5.xml:16
135
#. type: Content of: <reference><refentry><refmeta><manvolnum>
136
#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11
137
#: sssd-ipa.5.xml:11 sssd-krb5.5.xml:11
141
#. type: Content of: <reference><refentry><refmeta><refmiscinfo>
142
#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12
143
#: sssd-ipa.5.xml:12 sssd-krb5.5.xml:12
144
msgid "File Formats and Conventions"
147
#. type: Content of: <reference><refentry><refnamediv><refpurpose>
148
#: sssd.conf.5.xml:17 sssd-ldap.5.xml:17 sssd_krb5_locator_plugin.8.xml:16
149
#: sssd-ipa.5.xml:17 sssd-krb5.5.xml:17
150
msgid "the configuration file for SSSD"
153
#. type: Content of: <reference><refentry><refsect1><title>
154
#: sssd.conf.5.xml:21
158
#. type: Content of: <reference><refentry><refsect1><para><programlisting>
159
#: sssd.conf.5.xml:29
162
" <replaceable>[section]</replaceable>\n"
163
" <replaceable>key</replaceable> = <replaceable>value</replaceable>\n"
164
" <replaceable>key2</replaceable> = <replaceable>value2,value3</replaceable>\n"
168
#. type: Content of: <reference><refentry><refsect1><para>
169
#: sssd.conf.5.xml:24
171
"The file has an ini-style syntax and consists of sections and parameters. A "
172
"section begins with the name of the section in square brackets and continues "
173
"until the next section begins. An example of section with single and multi-"
174
"valued parameters: <placeholder type=\"programlisting\" id=\"0\"/>"
177
#. type: Content of: <reference><refentry><refsect1><para>
178
#: sssd.conf.5.xml:36
180
"The data types used are string (no quotes needed), integer and bool (with "
181
"values of <quote>TRUE/FALSE</quote>)."
184
#. type: Content of: <reference><refentry><refsect1><para>
185
#: sssd.conf.5.xml:41
187
"A line comment starts with a hash sign (<quote>#</quote>) or a semicolon "
191
#. type: Content of: <reference><refentry><refsect1><para>
192
#: sssd.conf.5.xml:46
194
"All sections can have an optional <replaceable>description</replaceable> "
195
"parameter. Its function is only as a label for the section."
198
#. type: Content of: <reference><refentry><refsect1><para>
199
#: sssd.conf.5.xml:52
201
"<filename>sssd.conf</filename> must be a regular file, owned by root and "
202
"only root may read from or write to the file."
205
#. type: Content of: <reference><refentry><refsect1><title>
206
#: sssd.conf.5.xml:58
207
msgid "SPECIAL SECTIONS"
210
#. type: Content of: <reference><refentry><refsect1><refsect2><title>
211
#: sssd.conf.5.xml:61
212
msgid "The [sssd] section"
215
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
216
#: sssd.conf.5.xml:70 sssd.conf.5.xml:854
217
msgid "Section parameters"
220
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
221
#: sssd.conf.5.xml:72
222
msgid "config_file_version (integer)"
225
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
226
#: sssd.conf.5.xml:75
228
"Indicates what is the syntax of the config file. SSSD 0.6.0 and later use "
232
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
233
#: sssd.conf.5.xml:81
237
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
238
#: sssd.conf.5.xml:84
240
"Comma separated list of services that are started when sssd itself starts."
243
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
244
#: sssd.conf.5.xml:88
245
msgid "Supported services: nss, pam"
248
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
249
#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
250
msgid "reconnection_retries (integer)"
253
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
254
#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
256
"Number of times services should attempt to reconnect in the event of a Data "
257
"Provider crash or restart before they give up"
260
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
261
#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
265
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
266
#: sssd.conf.5.xml:106
270
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
271
#: sssd.conf.5.xml:109
273
"A domain is a database containing user information. SSSD can use more "
274
"domains at the same time, but at least one must be configured or SSSD won't "
275
"start. This parameter described the list of domains in the order you want "
276
"them to be queried."
279
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
280
#: sssd.conf.5.xml:119
281
msgid "re_expression (string)"
284
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
285
#: sssd.conf.5.xml:122
287
"Regular expression that describes how to parse the string containing user "
288
"name and domain into these components."
291
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
292
#: sssd.conf.5.xml:126
294
"Default: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> "
295
"which translates to \"the name is everything up to the <quote>@</quote> "
296
"sign, the domain everything after that\""
299
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
300
#: sssd.conf.5.xml:131
302
"PLEASE NOTE: the support for non-unique named subpatterns is not available "
303
"on all platforms (e.g. RHEL5 and SLES10). Only platforms with libpcre "
304
"version 7 or higher can support non-unique named subpatterns."
307
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
308
#: sssd.conf.5.xml:138
310
"PLEASE NOTE ALSO: older version of libpcre only support the Python syntax (?"
311
"P<name>) to label subpatterns."
314
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
315
#: sssd.conf.5.xml:145
316
msgid "full_name_format (string)"
319
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
320
#: sssd.conf.5.xml:148
322
"A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
323
"manvolnum> </citerefentry>-compatible format that describes how to translate "
324
"a (name, domain) tuple into a fully qualified name."
327
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
328
#: sssd.conf.5.xml:156
329
msgid "Default: <quote>%1$s@%2$s</quote>."
332
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
333
#: sssd.conf.5.xml:161
334
msgid "try_inotify (boolean)"
337
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
338
#: sssd.conf.5.xml:164
340
"SSSD monitors the state of resolv.conf to identify when it needs to update "
341
"its internal DNS resolver. By default, we will attempt to use inotify for "
342
"this, and will fall back to polling resolv.conf every five seconds if "
343
"inotify cannot be used."
346
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
347
#: sssd.conf.5.xml:172
349
"There are some limited situations where it is preferred that we should skip "
350
"even trying to use inotify. In these rare cases, this option should be set "
354
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
355
#: sssd.conf.5.xml:178
357
"Default: true on platforms where inotify is supported. False on other "
361
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
362
#: sssd.conf.5.xml:182
364
"Note: this option will have no effect on platforms where inotify is "
365
"unavailable. On these platforms, polling will always be used."
368
#. type: Content of: <reference><refentry><refsect1><refsect2><para>
369
#: sssd.conf.5.xml:63
371
"Individual pieces of SSSD functionality are provided by special SSSD "
372
"services that are started and stopped together with SSSD. The services are "
373
"managed by a special service frequently called <quote>monitor</quote>. The "
374
"<quote>[sssd]</quote> section is used to configure the monitor as well as "
375
"some other important options like the identity domains. <placeholder type="
376
"\"variablelist\" id=\"0\"/>"
379
#. type: Content of: <reference><refentry><refsect1><title>
380
#: sssd.conf.5.xml:195
381
msgid "SERVICES SECTIONS"
384
#. type: Content of: <reference><refentry><refsect1><para>
385
#: sssd.conf.5.xml:197
387
"Settings that can be used to configure different services are described in "
388
"this section. They should reside in the [<replaceable>$NAME</replaceable>] "
389
"section, for example, for NSS service, the section would be <quote>[nss]</"
393
#. type: Content of: <reference><refentry><refsect1><refsect2><title>
394
#: sssd.conf.5.xml:204
395
msgid "General service configuration options"
398
#. type: Content of: <reference><refentry><refsect1><refsect2><para>
399
#: sssd.conf.5.xml:206
400
msgid "These options can be used to configure any service."
403
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
404
#: sssd.conf.5.xml:210
405
msgid "debug_level (integer)"
408
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
409
#: sssd.conf.5.xml:213
411
"Sets the debug level for the service. The value can be in range from 0 (only "
412
"critical messages) to 10 (very verbose)."
415
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
416
#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
420
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
421
#: sssd.conf.5.xml:223 sssd.8.xml:58
422
msgid "debug_timestamps (bool)"
425
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
426
#: sssd.conf.5.xml:226 sssd.8.xml:61
427
msgid "Add a timestamp to the debug messages"
430
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
431
#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1044
432
#: sssd-ldap.5.xml:1149 sssd-ipa.5.xml:155
433
msgid "Default: true"
436
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
437
#: sssd.conf.5.xml:247
438
msgid "command (string)"
441
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
442
#: sssd.conf.5.xml:250
444
"By default, the executable representing this service is called <command>sssd_"
445
"${service_name}</command>. This directive allows to change the executable "
446
"name for the service. In the vast majority of configurations, the default "
447
"values should suffice."
450
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
451
#: sssd.conf.5.xml:258
452
msgid "Default: <command>sssd_${service_name}</command>"
455
#. type: Content of: <reference><refentry><refsect1><refsect2><title>
456
#: sssd.conf.5.xml:266
457
msgid "NSS configuration options"
460
#. type: Content of: <reference><refentry><refsect1><refsect2><para>
461
#: sssd.conf.5.xml:268
463
"These options can be used to configure the Name Service Switch (NSS) service."
466
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
467
#: sssd.conf.5.xml:273
468
msgid "enum_cache_timeout (integer)"
471
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
472
#: sssd.conf.5.xml:276
474
"How many seconds should nss_sss cache enumerations (requests for info about "
478
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
479
#: sssd.conf.5.xml:280
483
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
484
#: sssd.conf.5.xml:285
485
msgid "entry_cache_nowait_percentage (integer)"
488
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
489
#: sssd.conf.5.xml:288
491
"The entry cache can be set to automatically update entries in the background "
492
"if they are requested beyond a percentage of the entry_cache_timeout value "
496
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
497
#: sssd.conf.5.xml:294
499
"For example, if the domain's entry_cache_timeout is set to 30s and "
500
"entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
501
"after 15 seconds past the last cache update will be returned immediately, "
502
"but the SSSD will go and update the cache on its own, so that future "
503
"requests will not need to block waiting for a cache update."
506
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
507
#: sssd.conf.5.xml:304
509
"Valid values for this option are 0-99 and represent a percentage of the "
510
"entry_cache_timeout for each domain. For performance reasons, this "
511
"percentage will never reduce the nowait timeout to less than 10 seconds. (0 "
512
"disables this feature)"
515
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
516
#: sssd.conf.5.xml:317
517
msgid "entry_negative_timeout (integer)"
520
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
521
#: sssd.conf.5.xml:320
523
"Specifies for how many seconds nss_sss should cache negative cache hits "
524
"(that is, queries for invalid database entries, like nonexistent ones) "
525
"before asking the back end again."
528
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
529
#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
533
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
534
#: sssd.conf.5.xml:331
535
msgid "filter_users, filter_groups (string)"
538
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
539
#: sssd.conf.5.xml:334
541
"Exclude certain users from being fetched from the sss NSS database. This is "
542
"particularly useful for system accounts. This option can also be set per-"
543
"domain or include fully-qualified names to filter only users from the "
547
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
548
#: sssd.conf.5.xml:341
549
msgid "Default: root"
552
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
553
#: sssd.conf.5.xml:346
554
msgid "filter_users_in_groups (bool)"
557
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
558
#: sssd.conf.5.xml:349
560
"If you want filtered user still be group members set this option to false."
563
#. type: Content of: <reference><refentry><refsect1><refsect2><title>
564
#: sssd.conf.5.xml:360
565
msgid "PAM configuration options"
568
#. type: Content of: <reference><refentry><refsect1><refsect2><para>
569
#: sssd.conf.5.xml:362
571
"These options can be used to configure the Pluggable Authentication Module "
575
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
576
#: sssd.conf.5.xml:367
577
msgid "offline_credentials_expiration (integer)"
580
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
581
#: sssd.conf.5.xml:370
583
"If the authentication provider is offline, how long should we allow cached "
584
"logins (in days since the last successful online login)."
587
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
588
#: sssd.conf.5.xml:375 sssd.conf.5.xml:388
589
msgid "Default: 0 (No limit)"
592
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
593
#: sssd.conf.5.xml:381
594
msgid "offline_failed_login_attempts (integer)"
597
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
598
#: sssd.conf.5.xml:384
600
"If the authentication provider is offline, how many failed login attempts "
604
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
605
#: sssd.conf.5.xml:394
606
msgid "offline_failed_login_delay (integer)"
609
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
610
#: sssd.conf.5.xml:397
612
"The time in minutes which has to pass after offline_failed_login_attempts "
613
"has been reached before a new login attempt is possible."
616
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
617
#: sssd.conf.5.xml:402
619
"If set to 0 the user cannot authenticate offline if "
620
"offline_failed_login_attempts has been reached. Only a successful online "
621
"authentication can enable enable offline authentication again."
624
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
625
#: sssd.conf.5.xml:408 sssd.conf.5.xml:461 sssd.conf.5.xml:793
629
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
630
#: sssd.conf.5.xml:414
631
msgid "pam_verbosity (integer)"
634
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
635
#: sssd.conf.5.xml:417
637
"Controls what kind of messages are shown to the user during authentication. "
638
"The higher the number to more messages are displayed."
641
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
642
#: sssd.conf.5.xml:422
643
msgid "Currently sssd supports the following values:"
646
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
647
#: sssd.conf.5.xml:425
648
msgid "<emphasis>0</emphasis>: do not show any message"
651
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
652
#: sssd.conf.5.xml:428
653
msgid "<emphasis>1</emphasis>: show only important messages"
656
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
657
#: sssd.conf.5.xml:432
658
msgid "<emphasis>2</emphasis>: show informational messages"
661
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
662
#: sssd.conf.5.xml:435
663
msgid "<emphasis>3</emphasis>: show all messages and debug information"
666
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
667
#: sssd.conf.5.xml:439
671
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
672
#: sssd.conf.5.xml:444
673
msgid "pam_id_timeout (integer)"
676
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
677
#: sssd.conf.5.xml:447
679
"For any PAM request while SSSD is online, the SSSD will attempt to "
680
"immediately update the cached identity information for the user in order to "
681
"ensure that authentication takes place with the latest information."
684
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
685
#: sssd.conf.5.xml:453
687
"A complete PAM conversation may perform multiple PAM requests, such as "
688
"account management and session opening. This option controls (on a per-"
689
"client-application basis) how long (in seconds) we can cache the identity "
690
"information to avoid excessive round-trips to the identity provider."
693
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
694
#: sssd.conf.5.xml:467
695
msgid "pam_pwd_expiration_warning (integer)"
698
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
699
#: sssd.conf.5.xml:470
700
msgid "Display a warning N days before the password expires."
703
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
704
#: sssd.conf.5.xml:473
706
"Please note that the backend server has to provide information about the "
707
"expiration time of the password. If this information is missing, sssd "
708
"cannot display a warning."
711
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
712
#: sssd.conf.5.xml:479
716
#. type: Content of: <reference><refentry><refsect1><title>
717
#: sssd.conf.5.xml:488
718
msgid "DOMAIN SECTIONS"
721
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
722
#: sssd.conf.5.xml:495
723
msgid "min_id,max_id (integer)"
726
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
727
#: sssd.conf.5.xml:498
729
"UID and GID limits for the domain. If a domain contains an entry that is "
730
"outside these limits, it is ignored."
733
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
734
#: sssd.conf.5.xml:503
736
"For users, this affects the primary GID limit. The user will not be returned "
737
"to NSS if either the UID or the primary GID is outside the range. For non-"
738
"primary group memberships, those that are in range will be reported as "
742
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
743
#: sssd.conf.5.xml:510
744
msgid "Default: 1 for min_id, 0 (no limit) for max_id"
747
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
748
#: sssd.conf.5.xml:516
749
msgid "timeout (integer)"
752
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
753
#: sssd.conf.5.xml:519
755
"Timeout in seconds between heartbeats for this domain. This is used to "
756
"ensure that the backend process is alive and capable of answering requests."
759
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
760
#: sssd.conf.5.xml:524
764
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
765
#: sssd.conf.5.xml:530
766
msgid "enumerate (bool)"
769
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
770
#: sssd.conf.5.xml:533
772
"Determines if a domain can be enumerated. This parameter can have one of the "
776
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
777
#: sssd.conf.5.xml:537
778
msgid "TRUE = Users and groups are enumerated"
781
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
782
#: sssd.conf.5.xml:540
783
msgid "FALSE = No enumerations for this domain"
786
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
787
#: sssd.conf.5.xml:543 sssd.conf.5.xml:591 sssd.conf.5.xml:645
788
msgid "Default: FALSE"
791
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
792
#: sssd.conf.5.xml:546
794
"Note: Enabling enumeration has a moderate performance impact on SSSD while "
795
"enumeration is running. It may take up to several minutes after SSSD startup "
796
"to fully complete enumerations. During this time, individual requests for "
797
"information will go directly to LDAP, though it may be slow, due to the "
798
"heavy enumeration processing."
801
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
802
#: sssd.conf.5.xml:556
804
"While the first enumeration is running, requests for the complete user or "
805
"group lists may return no results until it completes."
808
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
809
#: sssd.conf.5.xml:561
811
"Further, enabling enumeration may increase the time necessary to detect "
812
"network disconnection, as longer timeouts are required to ensure that "
813
"enumeration lookups are completed successfully. For more information, refer "
814
"to the man pages for the specific id_provider in use."
817
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
818
#: sssd.conf.5.xml:572
819
msgid "entry_cache_timeout (integer)"
822
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
823
#: sssd.conf.5.xml:575
825
"How many seconds should nss_sss consider entries valid before asking the "
829
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
830
#: sssd.conf.5.xml:579
831
msgid "Default: 5400"
834
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
835
#: sssd.conf.5.xml:584
836
msgid "cache_credentials (bool)"
839
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
840
#: sssd.conf.5.xml:587
841
msgid "Determines if user credentials are also cached in the local LDB cache"
844
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
845
#: sssd.conf.5.xml:596
846
msgid "account_cache_expiration (integer)"
849
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
850
#: sssd.conf.5.xml:599
852
"Number of days entries are left in cache after last successful login before "
853
"being removed during a cleanup of the cache. 0 means keep forever. The "
854
"value of this parameter must be greater than or equal to "
855
"offline_credentials_expiration."
858
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
859
#: sssd.conf.5.xml:606
860
msgid "Default: 0 (unlimited)"
863
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
864
#: sssd.conf.5.xml:612
865
msgid "id_provider (string)"
868
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
869
#: sssd.conf.5.xml:615
870
msgid "The Data Provider identity backend to use for this domain."
873
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
874
#: sssd.conf.5.xml:619
875
msgid "Supported backends:"
878
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
879
#: sssd.conf.5.xml:622
880
msgid "proxy: Support a legacy NSS provider"
883
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
884
#: sssd.conf.5.xml:625
885
msgid "local: SSSD internal local provider"
888
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
889
#: sssd.conf.5.xml:628
890
msgid "ldap: LDAP provider"
893
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
894
#: sssd.conf.5.xml:634
895
msgid "use_fully_qualified_names (bool)"
898
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
899
#: sssd.conf.5.xml:637
901
"If set to TRUE, all requests to this domain must use fully qualified names. "
902
"For example, if used in LOCAL domain that contains a \"test\" user, "
903
"<command>getent passwd test</command> wouldn't find the user while "
904
"<command>getent passwd test@LOCAL</command> would."
907
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
908
#: sssd.conf.5.xml:650
909
msgid "auth_provider (string)"
912
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
913
#: sssd.conf.5.xml:653
915
"The authentication provider used for the domain. Supported auth providers "
919
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
920
#: sssd.conf.5.xml:657
922
"<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
923
"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
924
"citerefentry> for more information on configuring LDAP."
927
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
928
#: sssd.conf.5.xml:664
930
"<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
931
"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
932
"citerefentry> for more information on configuring Kerberos."
935
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
936
#: sssd.conf.5.xml:671
938
"<quote>proxy</quote> for relaying authentication to some other PAM target."
941
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
942
#: sssd.conf.5.xml:674
943
msgid "<quote>none</quote> disables authentication explicitly."
946
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
947
#: sssd.conf.5.xml:677
949
"Default: <quote>id_provider</quote> is used if it is set and can handle "
950
"authentication requests."
953
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
954
#: sssd.conf.5.xml:683
955
msgid "access_provider (string)"
958
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
959
#: sssd.conf.5.xml:686
961
"The access control provider used for the domain. There are two built-in "
962
"access providers (in addition to any included in installed backends) "
963
"Internal special providers are:"
966
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
967
#: sssd.conf.5.xml:692
968
msgid "<quote>permit</quote> always allow access."
971
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
972
#: sssd.conf.5.xml:695
973
msgid "<quote>deny</quote> always deny access."
976
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
977
#: sssd.conf.5.xml:698
979
"<quote>simple</quote> access control based on access or deny lists. See "
980
"<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
981
"manvolnum></citerefentry> for more information on configuring the simple "
985
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
986
#: sssd.conf.5.xml:705
987
msgid "Default: <quote>permit</quote>"
990
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
991
#: sssd.conf.5.xml:710
992
msgid "chpass_provider (string)"
995
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
996
#: sssd.conf.5.xml:713
998
"The provider which should handle change password operations for the domain. "
999
"Supported change password providers are:"
1002
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1003
#: sssd.conf.5.xml:718
1005
"<quote>ipa</quote> to change a password stored in an IPA server. See "
1006
"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
1007
"manvolnum> </citerefentry> for more information on configuring IPA."
1010
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1011
#: sssd.conf.5.xml:726
1013
"<quote>ldap</quote> to change a password stored in a LDAP server. See "
1014
"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
1015
"manvolnum> </citerefentry> for more information on configuring LDAP."
1018
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1019
#: sssd.conf.5.xml:734
1021
"<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
1022
"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
1023
"citerefentry> for more information on configuring Kerberos."
1026
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1027
#: sssd.conf.5.xml:742
1029
"<quote>proxy</quote> for relaying password changes to some other PAM target."
1032
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1033
#: sssd.conf.5.xml:746
1034
msgid "<quote>none</quote> disallows password changes explicitly."
1037
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1038
#: sssd.conf.5.xml:749
1040
"Default: <quote>auth_provider</quote> is used if it is set and can handle "
1041
"change password requests."
1044
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1045
#: sssd.conf.5.xml:756
1046
msgid "lookup_family_order (string)"
1049
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1050
#: sssd.conf.5.xml:759
1052
"Provides the ability to select preferred address family to use when "
1053
"performing DNS lookups."
1056
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1057
#: sssd.conf.5.xml:763
1058
msgid "Supported values:"
1061
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1062
#: sssd.conf.5.xml:766
1063
msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
1066
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1067
#: sssd.conf.5.xml:769
1068
msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
1071
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1072
#: sssd.conf.5.xml:772
1073
msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
1076
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1077
#: sssd.conf.5.xml:775
1078
msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
1081
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1082
#: sssd.conf.5.xml:778
1083
msgid "Default: ipv4_first"
1086
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1087
#: sssd.conf.5.xml:784
1088
msgid "dns_resolver_timeout (integer)"
1091
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1092
#: sssd.conf.5.xml:787
1094
"Defines the amount of time (in seconds) to wait for a reply from the DNS "
1095
"resolver before assuming that it is unreachable. If this timeout is reached, "
1096
"the domain will continue to operate in offline mode."
1099
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1100
#: sssd.conf.5.xml:799
1101
msgid "dns_discovery_domain (string)"
1104
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1105
#: sssd.conf.5.xml:802
1107
"If service discovery is used in the back end, specifies the domain part of "
1108
"the service discovery DNS query."
1111
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1112
#: sssd.conf.5.xml:806
1113
msgid "Default: Use the domain part of machine's hostname"
1116
#. type: Content of: <reference><refentry><refsect1><para>
1117
#: sssd.conf.5.xml:490
1119
"These configuration options can be present in a domain configuration "
1120
"section, that is, in a section called <quote>[domain/<replaceable>NAME</"
1121
"replaceable>]</quote> <placeholder type=\"variablelist\" id=\"0\"/>"
1124
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1125
#: sssd.conf.5.xml:818
1126
msgid "proxy_pam_target (string)"
1129
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1130
#: sssd.conf.5.xml:821
1131
msgid "The proxy target PAM proxies to."
1134
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1135
#: sssd.conf.5.xml:824
1137
"Default: not set by default, you have to take an existing pam configuration "
1138
"or create a new one and add the service name here."
1141
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1142
#: sssd.conf.5.xml:832
1143
msgid "proxy_lib_name (string)"
1146
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1147
#: sssd.conf.5.xml:835
1149
"The name of the NSS library to use in proxy domains. The NSS functions "
1150
"searched for in the library are in the form of _nss_$(libName)_$(function), "
1151
"for example _nss_files_getpwent."
1154
#. type: Content of: <reference><refentry><refsect1><para>
1155
#: sssd.conf.5.xml:814
1157
"Options valid for proxy domains. <placeholder type=\"variablelist\" id="
1161
#. type: Content of: <reference><refentry><refsect1><refsect2><title>
1162
#: sssd.conf.5.xml:847
1163
msgid "The local domain section"
1166
#. type: Content of: <reference><refentry><refsect1><refsect2><para>
1167
#: sssd.conf.5.xml:849
1169
"This section contains settings for domain that stores users and groups in "
1170
"SSSD native database, that is, a domain that uses "
1171
"<replaceable>id_provider=local</replaceable>."
1174
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
1175
#: sssd.conf.5.xml:856
1176
msgid "default_shell (string)"
1179
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
1180
#: sssd.conf.5.xml:859
1181
msgid "The default shell for users created with SSSD userspace tools."
1184
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
1185
#: sssd.conf.5.xml:863
1186
msgid "Default: <filename>/bin/bash</filename>"
1189
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
1190
#: sssd.conf.5.xml:868
1191
msgid "base_directory (string)"
1194
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
1195
#: sssd.conf.5.xml:871
1197
"The tools append the login name to <replaceable>base_directory</replaceable> "
1198
"and use that as the home directory."
1201
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
1202
#: sssd.conf.5.xml:876
1203
msgid "Default: <filename>/home</filename>"
1206
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
1207
#: sssd.conf.5.xml:881
1208
msgid "create_homedir (bool)"
1211
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
1212
#: sssd.conf.5.xml:884
1214
"Indicate if a home directory should be created by default for new users. "
1215
"Can be overridden on command line."
1218
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
1219
#: sssd.conf.5.xml:888 sssd.conf.5.xml:900
1220
msgid "Default: TRUE"
1223
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
1224
#: sssd.conf.5.xml:893
1225
msgid "remove_homedir (bool)"
1228
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
1229
#: sssd.conf.5.xml:896
1231
"Indicate if a home directory should be removed by default for deleted "
1232
"users. Can be overridden on command line."
1235
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
1236
#: sssd.conf.5.xml:905
1237
msgid "homedir_umask (integer)"
1240
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
1241
#: sssd.conf.5.xml:908
1243
"Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
1244
"<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
1245
"on a newly created home directory."
1248
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
1249
#: sssd.conf.5.xml:916
1250
msgid "Default: 077"
1253
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
1254
#: sssd.conf.5.xml:921
1255
msgid "skel_dir (string)"
1258
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
1259
#: sssd.conf.5.xml:924
1261
"The skeleton directory, which contains files and directories to be copied in "
1262
"the user's home directory, when the home directory is created by "
1263
"<citerefentry> <refentrytitle>sss_useradd</refentrytitle> <manvolnum>8</"
1264
"manvolnum> </citerefentry>"
1267
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
1268
#: sssd.conf.5.xml:934
1269
msgid "Default: <filename>/etc/skel</filename>"
1272
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
1273
#: sssd.conf.5.xml:939
1274
msgid "mail_dir (string)"
1277
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
1278
#: sssd.conf.5.xml:942
1280
"The mail spool directory. This is needed to manipulate the mailbox when its "
1281
"corresponding user account is modified or deleted. If not specified, a "
1282
"default value is used."
1285
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
1286
#: sssd.conf.5.xml:949
1287
msgid "Default: <filename>/var/mail</filename>"
1290
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
1291
#: sssd.conf.5.xml:954
1292
msgid "userdel_cmd (string)"
1295
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
1296
#: sssd.conf.5.xml:957
1298
"The command that is run after a user is removed. The command us passed the "
1299
"username of the user being removed as the first and only parameter. The "
1300
"return code of the command is not taken into account."
1303
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
1304
#: sssd.conf.5.xml:963
1305
msgid "Default: None, no command is run"
1308
#. type: Content of: <reference><refentry><refsect1><title>
1309
#: sssd.conf.5.xml:973 sssd-ldap.5.xml:1386 sssd-simple.5.xml:126
1310
#: sssd-ipa.5.xml:188 sssd-krb5.5.xml:405
1314
#. type: Content of: <reference><refentry><refsect1><para><programlisting>
1315
#: sssd.conf.5.xml:979
1320
"services = nss, pam\n"
1321
"config_file_version = 2\n"
1324
"filter_groups = root\n"
1325
"filter_users = root\n"
1330
"id_provider = ldap\n"
1331
"ldap_uri = ldap://ldap.example.com\n"
1332
"ldap_search_base = dc=example,dc=com\n"
1334
"auth_provider = krb5\n"
1335
"krb5_server = kerberos.example.com\n"
1336
"krb5_realm = EXAMPLE.COM\n"
1337
"cache_credentials = true\n"
1341
"enumerate = False\n"
1344
#. type: Content of: <reference><refentry><refsect1><para>
1345
#: sssd.conf.5.xml:975
1347
"The following example shows a typical SSSD config. It does not describe "
1348
"configuration of the domains themselves - refer to documentation on "
1349
"configuring domains for more details. <placeholder type=\"programlisting\" "
1353
#. type: Content of: <reference><refentry><refsect1><para>
1354
#: sssd.conf.5.xml:1010
1356
"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
1357
"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
1358
"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
1359
"<refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum> </"
1360
"citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</"
1361
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
1362
"<refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum> </"
1363
"citerefentry>, <citerefentry> <refentrytitle>sss_useradd</"
1364
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
1365
"<refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> </"
1366
"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
1367
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
1368
"<refentrytitle>pam_sss</refentrytitle><manvolnum>8</manvolnum> </"
1372
#. type: Content of: <reference><refentry><refnamediv><refname>
1373
#: sssd-ldap.5.xml:10 sssd-ldap.5.xml:16
1377
#. type: Content of: <reference><refentry><refsect1><para>
1378
#: sssd-ldap.5.xml:23
1380
"This manual page describes the configuration of LDAP domains for "
1381
"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
1382
"</citerefentry>. Refer to the <quote>FILE FORMAT</quote> section of the "
1383
"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
1384
"manvolnum> </citerefentry> manual page for detailed syntax information."
1387
#. type: Content of: <reference><refentry><refsect1><para>
1388
#: sssd-ldap.5.xml:35
1389
msgid "You can configure SSSD to use more than one LDAP domain."
1392
#. type: Content of: <reference><refentry><refsect1><para>
1393
#: sssd-ldap.5.xml:38
1395
"LDAP back end supports id, auth, access and chpass providers. If you want to "
1396
"authenticate against an LDAP server either TLS/SSL or LDAPS is required. "
1397
"<command>sssd</command> <emphasis>does not</emphasis> support authentication "
1398
"over an unencrypted channel. If the LDAP server is used only as an identity "
1399
"provider, an encrypted channel is not needed. Please refer to "
1400
"<quote>ldap_access_filter</quote> config option for more information about "
1401
"using LDAP as an access provider."
1404
#. type: Content of: <reference><refentry><refsect1><title>
1405
#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:61
1406
#: sssd-krb5.5.xml:63
1407
msgid "CONFIGURATION OPTIONS"
1410
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1411
#: sssd-ldap.5.xml:60
1412
msgid "ldap_uri (string)"
1415
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1416
#: sssd-ldap.5.xml:63
1418
"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
1419
"should connect in the order of preference. Refer to the <quote>FAILOVER</"
1420
"quote> section for more information on failover and server redundancy. If "
1421
"not specified, service discovery is enabled. For more information, refer to "
1422
"the <quote>SERVICE DISCOVERY</quote> section."
1425
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1426
#: sssd-ldap.5.xml:70
1427
msgid "The format of the URI must match the format defined in RFC 2732:"
1430
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1431
#: sssd-ldap.5.xml:73
1432
msgid "ldap[s]://<host>[:port]"
1435
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1436
#: sssd-ldap.5.xml:76
1438
"For explicit IPv6 addresses, <host> must be enclosed in brackets []"
1441
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1442
#: sssd-ldap.5.xml:79
1443
msgid "example: ldap://[fc00::126:25]:389"
1446
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1447
#: sssd-ldap.5.xml:85
1448
msgid "ldap_chpass_uri (string)"
1451
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1452
#: sssd-ldap.5.xml:88
1454
"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
1455
"in the order of preference to change the password of a user. Refer to the "
1456
"<quote>FAILOVER</quote> section for more information on failover and server "
1460
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1461
#: sssd-ldap.5.xml:95
1462
msgid "To enable service discovery ldap_chpass_dns_service_name must be set."
1465
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1466
#: sssd-ldap.5.xml:99
1467
msgid "Default: empty, i.e. ldap_uri is used."
1470
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1471
#: sssd-ldap.5.xml:105
1472
msgid "ldap_search_base (string)"
1475
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1476
#: sssd-ldap.5.xml:108
1477
msgid "The default base DN to use for performing LDAP user operations."
1480
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1481
#: sssd-ldap.5.xml:112
1483
"Default: If not set the value of the defaultNamingContext or namingContexts "
1484
"attribute from the RootDSE of the LDAP server is used. If "
1485
"defaultNamingContext does not exists or has an empty value namingContexts is "
1486
"used. The namingContexts attribute must have a single value with the DN of "
1487
"the search base of the LDAP server to make this work. Multiple values are "
1488
"are not supported."
1491
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1492
#: sssd-ldap.5.xml:126
1493
msgid "ldap_schema (string)"
1496
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1497
#: sssd-ldap.5.xml:129
1499
"Specifies the Schema Type in use on the target LDAP server. Depending on "
1500
"the selected schema, the default attribute names retrieved from the servers "
1501
"may vary. The way that some attributes are handled may also differ. Three "
1502
"schema types are currently supported: rfc2307 rfc2307bis IPA The main "
1503
"difference between these schema types is how group memberships are recorded "
1504
"in the server. With rfc2307, group members are listed by name in the "
1505
"<emphasis>memberUid</emphasis> attribute. With rfc2307bis and IPA, group "
1506
"members are listed by DN and stored in the <emphasis>member</emphasis> "
1510
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1511
#: sssd-ldap.5.xml:148
1512
msgid "Default: rfc2307"
1515
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1516
#: sssd-ldap.5.xml:154
1517
msgid "ldap_default_bind_dn (string)"
1520
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1521
#: sssd-ldap.5.xml:157
1522
msgid "The default bind DN to use for performing LDAP operations."
1525
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1526
#: sssd-ldap.5.xml:164
1527
msgid "ldap_default_authtok_type (string)"
1530
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1531
#: sssd-ldap.5.xml:167
1532
msgid "The type of the authentication token of the default bind DN."
1535
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1536
#: sssd-ldap.5.xml:171
1537
msgid "The two mechanisms currently supported are:"
1540
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1541
#: sssd-ldap.5.xml:174
1545
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1546
#: sssd-ldap.5.xml:177
1547
msgid "obfuscated_password"
1550
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1551
#: sssd-ldap.5.xml:180
1552
msgid "default: password"
1555
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1556
#: sssd-ldap.5.xml:186
1557
msgid "ldap_default_authtok (string)"
1560
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1561
#: sssd-ldap.5.xml:189
1563
"The authentication token of the default bind DN. Only clear text passwords "
1564
"are currently supported."
1567
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1568
#: sssd-ldap.5.xml:196
1569
msgid "ldap_user_object_class (string)"
1572
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1573
#: sssd-ldap.5.xml:199
1574
msgid "The object class of a user entry in LDAP."
1577
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1578
#: sssd-ldap.5.xml:202
1579
msgid "Default: posixAccount"
1582
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1583
#: sssd-ldap.5.xml:208
1584
msgid "ldap_user_name (string)"
1587
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1588
#: sssd-ldap.5.xml:211
1589
msgid "The LDAP attribute that corresponds to the user's login name."
1592
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1593
#: sssd-ldap.5.xml:215
1594
msgid "Default: uid"
1597
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1598
#: sssd-ldap.5.xml:221
1599
msgid "ldap_user_uid_number (string)"
1602
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1603
#: sssd-ldap.5.xml:224
1604
msgid "The LDAP attribute that corresponds to the user's id."
1607
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1608
#: sssd-ldap.5.xml:228
1609
msgid "Default: uidNumber"
1612
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1613
#: sssd-ldap.5.xml:234
1614
msgid "ldap_user_gid_number (string)"
1617
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1618
#: sssd-ldap.5.xml:237
1619
msgid "The LDAP attribute that corresponds to the user's primary group id."
1622
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1623
#: sssd-ldap.5.xml:241 sssd-ldap.5.xml:637
1624
msgid "Default: gidNumber"
1627
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1628
#: sssd-ldap.5.xml:247
1629
msgid "ldap_user_gecos (string)"
1632
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1633
#: sssd-ldap.5.xml:250
1634
msgid "The LDAP attribute that corresponds to the user's gecos field."
1637
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1638
#: sssd-ldap.5.xml:254
1639
msgid "Default: gecos"
1642
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1643
#: sssd-ldap.5.xml:260
1644
msgid "ldap_user_home_directory (string)"
1647
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1648
#: sssd-ldap.5.xml:263
1649
msgid "The LDAP attribute that contains the name of the user's home directory."
1652
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1653
#: sssd-ldap.5.xml:267
1654
msgid "Default: homeDirectory"
1657
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1658
#: sssd-ldap.5.xml:273
1659
msgid "ldap_user_shell (string)"
1662
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1663
#: sssd-ldap.5.xml:276
1664
msgid "The LDAP attribute that contains the path to the user's default shell."
1667
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1668
#: sssd-ldap.5.xml:280
1669
msgid "Default: loginShell"
1672
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1673
#: sssd-ldap.5.xml:286
1674
msgid "ldap_user_uuid (string)"
1677
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1678
#: sssd-ldap.5.xml:289
1679
msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object."
1682
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1683
#: sssd-ldap.5.xml:293 sssd-ldap.5.xml:663 sssd-ldap.5.xml:756
1684
msgid "Default: nsUniqueId"
1687
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1688
#: sssd-ldap.5.xml:299
1689
msgid "ldap_user_modify_timestamp (string)"
1692
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1693
#: sssd-ldap.5.xml:302 sssd-ldap.5.xml:672 sssd-ldap.5.xml:765
1695
"The LDAP attribute that contains timestamp of the last modification of the "
1699
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1700
#: sssd-ldap.5.xml:306 sssd-ldap.5.xml:676 sssd-ldap.5.xml:769
1701
msgid "Default: modifyTimestamp"
1704
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1705
#: sssd-ldap.5.xml:312
1706
msgid "ldap_user_shadow_last_change (string)"
1709
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1710
#: sssd-ldap.5.xml:315
1712
"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
1713
"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
1714
"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of "
1715
"the last password change)."
1718
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1719
#: sssd-ldap.5.xml:325
1720
msgid "Default: shadowLastChange"
1723
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1724
#: sssd-ldap.5.xml:331
1725
msgid "ldap_user_shadow_min (string)"
1728
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1729
#: sssd-ldap.5.xml:334
1731
"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
1732
"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
1733
"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum "
1737
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1738
#: sssd-ldap.5.xml:343
1739
msgid "Default: shadowMin"
1742
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1743
#: sssd-ldap.5.xml:349
1744
msgid "ldap_user_shadow_max (string)"
1747
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1748
#: sssd-ldap.5.xml:352
1750
"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
1751
"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
1752
"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum "
1756
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1757
#: sssd-ldap.5.xml:361
1758
msgid "Default: shadowMax"
1761
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1762
#: sssd-ldap.5.xml:367
1763
msgid "ldap_user_shadow_warning (string)"
1766
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1767
#: sssd-ldap.5.xml:370
1769
"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
1770
"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
1771
"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart "
1772
"(password warning period)."
1775
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1776
#: sssd-ldap.5.xml:380
1777
msgid "Default: shadowWarning"
1780
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1781
#: sssd-ldap.5.xml:386
1782
msgid "ldap_user_shadow_inactive (string)"
1785
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1786
#: sssd-ldap.5.xml:389
1788
"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
1789
"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
1790
"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart "
1791
"(password inactivity period)."
1794
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1795
#: sssd-ldap.5.xml:399
1796
msgid "Default: shadowInactive"
1799
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1800
#: sssd-ldap.5.xml:405
1801
msgid "ldap_user_shadow_expire (string)"
1804
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1805
#: sssd-ldap.5.xml:408
1807
"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this "
1808
"parameter contains the name of an LDAP attribute corresponding to its "
1809
"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</"
1810
"manvolnum> </citerefentry> counterpart (account expiration date)."
1813
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1814
#: sssd-ldap.5.xml:418
1815
msgid "Default: shadowExpire"
1818
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1819
#: sssd-ldap.5.xml:424
1820
msgid "ldap_user_krb_last_pwd_change (string)"
1823
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1824
#: sssd-ldap.5.xml:427
1826
"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
1827
"an LDAP attribute storing the date and time of last password change in "
1831
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1832
#: sssd-ldap.5.xml:433
1833
msgid "Default: krbLastPwdChange"
1836
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1837
#: sssd-ldap.5.xml:439
1838
msgid "ldap_user_krb_password_expiration (string)"
1841
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1842
#: sssd-ldap.5.xml:442
1844
"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
1845
"an LDAP attribute storing the date and time when current password expires."
1848
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1849
#: sssd-ldap.5.xml:448
1850
msgid "Default: krbPasswordExpiration"
1853
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1854
#: sssd-ldap.5.xml:454
1855
msgid "ldap_user_ad_account_expires (string)"
1858
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1859
#: sssd-ldap.5.xml:457
1861
"When using ldap_account_expire_policy=ad, this parameter contains the name "
1862
"of an LDAP attribute storing the expiration time of the account."
1865
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1866
#: sssd-ldap.5.xml:462
1867
msgid "Default: accountExpires"
1870
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1871
#: sssd-ldap.5.xml:468
1872
msgid "ldap_user_ad_user_account_control (string)"
1875
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1876
#: sssd-ldap.5.xml:471
1878
"When using ldap_account_expire_policy=ad, this parameter contains the name "
1879
"of an LDAP attribute storing the user account control bit field."
1882
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1883
#: sssd-ldap.5.xml:476
1884
msgid "Default: userAccountControl"
1887
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1888
#: sssd-ldap.5.xml:482
1889
msgid "ldap_ns_account_lock (string)"
1892
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1893
#: sssd-ldap.5.xml:485
1895
"When using ldap_account_expire_policy=rhds or equivalent, this parameter "
1896
"determines if access is allowed or not."
1899
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1900
#: sssd-ldap.5.xml:490
1901
msgid "Default: nsAccountLock"
1904
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1905
#: sssd-ldap.5.xml:496
1906
msgid "ldap_user_principal (string)"
1909
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1910
#: sssd-ldap.5.xml:499
1912
"The LDAP attribute that contains the user's Kerberos User Principal Name "
1916
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1917
#: sssd-ldap.5.xml:503
1918
msgid "Default: krbPrincipalName"
1921
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1922
#: sssd-ldap.5.xml:509
1923
msgid "ldap_force_upper_case_realm (boolean)"
1926
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1927
#: sssd-ldap.5.xml:512
1929
"Some directory servers, for example Active Directory, might deliver the "
1930
"realm part of the UPN in lower case, which might cause the authentication to "
1931
"fail. Set this option to a non-zero value if you want to use an upper-case "
1935
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1936
#: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
1937
#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
1938
msgid "Default: false"
1941
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1942
#: sssd-ldap.5.xml:525
1943
msgid "ldap_enumeration_refresh_timeout (integer)"
1946
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1947
#: sssd-ldap.5.xml:528
1949
"The LDAP attribute that contains how many seconds SSSD has to wait before "
1950
"refreshing its cache of enumerated records."
1953
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1954
#: sssd-ldap.5.xml:533
1955
msgid "Default: 300"
1958
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1959
#: sssd-ldap.5.xml:539
1960
msgid "ldap_purge_cache_timeout"
1963
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1964
#: sssd-ldap.5.xml:542
1966
"Determine how often to check the cache for inactive entries (such as groups "
1967
"with no members and users who have never logged in) and remove them to save "
1971
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1972
#: sssd-ldap.5.xml:548
1973
msgid "Setting this option to zero will disable the cache cleanup operation."
1976
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1977
#: sssd-ldap.5.xml:552
1978
msgid "Default: 10800 (12 hours)"
1981
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1982
#: sssd-ldap.5.xml:558
1983
msgid "ldap_user_fullname (string)"
1986
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1987
#: sssd-ldap.5.xml:561
1988
msgid "The LDAP attribute that corresponds to the user's full name."
1991
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1992
#: sssd-ldap.5.xml:565 sssd-ldap.5.xml:624 sssd-ldap.5.xml:717
1996
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1997
#: sssd-ldap.5.xml:571
1998
msgid "ldap_user_member_of (string)"
2001
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2002
#: sssd-ldap.5.xml:574
2003
msgid "The LDAP attribute that lists the user's group memberships."
2006
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2007
#: sssd-ldap.5.xml:578
2008
msgid "Default: memberOf"
2011
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2012
#: sssd-ldap.5.xml:584
2013
msgid "ldap_user_authorized_service (string)"
2016
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2017
#: sssd-ldap.5.xml:587
2019
"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will "
2020
"use the presence of the authorizedService attribute in the user's LDAP entry "
2021
"to determine access privilege."
2024
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2025
#: sssd-ldap.5.xml:594
2027
"An explicit deny (!svc) is resolved first. Second, SSSD searches for "
2028
"explicit allow (svc) and finally for allow_all (*)."
2031
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2032
#: sssd-ldap.5.xml:599
2033
msgid "Default: authorizedService"
2036
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2037
#: sssd-ldap.5.xml:605
2038
msgid "ldap_group_object_class (string)"
2041
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2042
#: sssd-ldap.5.xml:608
2043
msgid "The object class of a group entry in LDAP."
2046
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2047
#: sssd-ldap.5.xml:611
2048
msgid "Default: posixGroup"
2051
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2052
#: sssd-ldap.5.xml:617
2053
msgid "ldap_group_name (string)"
2056
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2057
#: sssd-ldap.5.xml:620
2058
msgid "The LDAP attribute that corresponds to the group name."
2061
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2062
#: sssd-ldap.5.xml:630
2063
msgid "ldap_group_gid_number (string)"
2066
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2067
#: sssd-ldap.5.xml:633
2068
msgid "The LDAP attribute that corresponds to the group's id."
2071
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2072
#: sssd-ldap.5.xml:643
2073
msgid "ldap_group_member (string)"
2076
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2077
#: sssd-ldap.5.xml:646
2078
msgid "The LDAP attribute that contains the names of the group's members."
2081
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2082
#: sssd-ldap.5.xml:650
2083
msgid "Default: memberuid (rfc2307) / member (rfc2307bis)"
2086
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2087
#: sssd-ldap.5.xml:656
2088
msgid "ldap_group_uuid (string)"
2091
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2092
#: sssd-ldap.5.xml:659
2093
msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object."
2096
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2097
#: sssd-ldap.5.xml:669
2098
msgid "ldap_group_modify_timestamp (string)"
2101
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2102
#: sssd-ldap.5.xml:682
2103
msgid "ldap_group_nesting_level (integer)"
2106
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2107
#: sssd-ldap.5.xml:685
2109
"If ldap_schema is set to a schema format that supports nested groups (e.g. "
2110
"RFC2307bis), then this option controls how many levels of nesting SSSD will "
2111
"follow. This option has no effect on the RFC2307 schema."
2114
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2115
#: sssd-ldap.5.xml:692
2119
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2120
#: sssd-ldap.5.xml:698
2121
msgid "ldap_netgroup_object_class (string)"
2124
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2125
#: sssd-ldap.5.xml:701
2126
msgid "The object class of a netgroup entry in LDAP."
2129
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2130
#: sssd-ldap.5.xml:704
2131
msgid "Default: nisNetgroup"
2134
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2135
#: sssd-ldap.5.xml:710
2136
msgid "ldap_netgroup_name (string)"
2139
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2140
#: sssd-ldap.5.xml:713
2141
msgid "The LDAP attribute that corresponds to the netgroup name."
2144
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2145
#: sssd-ldap.5.xml:723
2146
msgid "ldap_netgroup_member (string)"
2149
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2150
#: sssd-ldap.5.xml:726
2151
msgid "The LDAP attribute that contains the names of the netgroup's members."
2154
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2155
#: sssd-ldap.5.xml:730
2156
msgid "Default: memberNisNetgroup"
2159
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2160
#: sssd-ldap.5.xml:736
2161
msgid "ldap_netgroup_triple (string)"
2164
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2165
#: sssd-ldap.5.xml:739
2167
"The LDAP attribute that contains the (host, user, domain) netgroup triples."
2170
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2171
#: sssd-ldap.5.xml:743
2172
msgid "Default: nisNetgroupTriple"
2175
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2176
#: sssd-ldap.5.xml:749
2177
msgid "ldap_netgroup_uuid (string)"
2180
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2181
#: sssd-ldap.5.xml:752
2183
"The LDAP attribute that contains the UUID/GUID of an LDAP netgroup object."
2186
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2187
#: sssd-ldap.5.xml:762
2188
msgid "ldap_netgroup_modify_timestamp (string)"
2191
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2192
#: sssd-ldap.5.xml:775
2193
msgid "ldap_search_timeout (integer)"
2196
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2197
#: sssd-ldap.5.xml:778
2199
"Specifies the timeout (in seconds) that ldap searches are allowed to run "
2200
"before they are cancelled and cached results are returned (and offline mode "
2204
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2205
#: sssd-ldap.5.xml:784
2207
"Note: this option is subject to change in future versions of the SSSD. It "
2208
"will likely be replaced at some point by a series of timeouts for specific "
2212
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2213
#: sssd-ldap.5.xml:790 sssd-ldap.5.xml:832 sssd-ldap.5.xml:847
2217
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2218
#: sssd-ldap.5.xml:796
2219
msgid "ldap_enumeration_search_timeout (integer)"
2222
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2223
#: sssd-ldap.5.xml:799
2225
"Specifies the timeout (in seconds) that ldap searches for user and group "
2226
"enumerations are allowed to run before they are cancelled and cached results "
2227
"are returned (and offline mode is entered)"
2230
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2231
#: sssd-ldap.5.xml:806
2235
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2236
#: sssd-ldap.5.xml:812
2237
msgid "ldap_network_timeout (integer)"
2240
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2241
#: sssd-ldap.5.xml:815
2243
"Specifies the timeout (in seconds) after which the <citerefentry> "
2244
"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/"
2245
"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</"
2246
"manvolnum> </citerefentry> following a <citerefentry> "
2247
"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </"
2248
"citerefentry> returns in case of no activity."
2251
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2252
#: sssd-ldap.5.xml:838
2253
msgid "ldap_opt_timeout (integer)"
2256
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2257
#: sssd-ldap.5.xml:841
2259
"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs "
2260
"will abort if no response is received. Also controls the timeout when "
2261
"communicating with the KDC in case of SASL bind."
2264
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2265
#: sssd-ldap.5.xml:853
2266
msgid "ldap_page_size (integer)"
2269
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2270
#: sssd-ldap.5.xml:856
2272
"Specify the number of records to retrieve from LDAP in a single request. "
2273
"Some LDAP servers enforce a maximum limit per-request."
2276
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2277
#: sssd-ldap.5.xml:861
2278
msgid "Default: 1000"
2281
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2282
#: sssd-ldap.5.xml:867
2283
msgid "ldap_tls_reqcert (string)"
2286
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2287
#: sssd-ldap.5.xml:870
2289
"Specifies what checks to perform on server certificates in a TLS session, if "
2290
"any. It can be specified as one of the following values:"
2293
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2294
#: sssd-ldap.5.xml:876
2296
"<emphasis>never</emphasis> = The client will not request or check any server "
2300
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2301
#: sssd-ldap.5.xml:880
2303
"<emphasis>allow</emphasis> = The server certificate is requested. If no "
2304
"certificate is provided, the session proceeds normally. If a bad certificate "
2305
"is provided, it will be ignored and the session proceeds normally."
2308
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2309
#: sssd-ldap.5.xml:887
2311
"<emphasis>try</emphasis> = The server certificate is requested. If no "
2312
"certificate is provided, the session proceeds normally. If a bad certificate "
2313
"is provided, the session is immediately terminated."
2316
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2317
#: sssd-ldap.5.xml:893
2319
"<emphasis>demand</emphasis> = The server certificate is requested. If no "
2320
"certificate is provided, or a bad certificate is provided, the session is "
2321
"immediately terminated."
2324
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2325
#: sssd-ldap.5.xml:899
2326
msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
2329
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2330
#: sssd-ldap.5.xml:903
2331
msgid "Default: hard"
2334
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2335
#: sssd-ldap.5.xml:909
2336
msgid "ldap_tls_cacert (string)"
2339
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2340
#: sssd-ldap.5.xml:912
2342
"Specifies the file that contains certificates for all of the Certificate "
2343
"Authorities that <command>sssd</command> will recognize."
2346
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2347
#: sssd-ldap.5.xml:917 sssd-ldap.5.xml:935 sssd-ldap.5.xml:976
2349
"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
2353
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2354
#: sssd-ldap.5.xml:924
2355
msgid "ldap_tls_cacertdir (string)"
2358
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2359
#: sssd-ldap.5.xml:927
2361
"Specifies the path of a directory that contains Certificate Authority "
2362
"certificates in separate individual files. Typically the file names need to "
2363
"be the hash of the certificate followed by '.0'. If available, "
2364
"<command>cacertdir_rehash</command> can be used to create the correct names."
2367
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2368
#: sssd-ldap.5.xml:942
2369
msgid "ldap_tls_cert (string)"
2372
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2373
#: sssd-ldap.5.xml:945
2374
msgid "Specifies the file that contains the certificate for the client's key."
2377
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2378
#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
2379
msgid "Default: not set"
2382
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2383
#: sssd-ldap.5.xml:955
2384
msgid "ldap_tls_key (string)"
2387
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2388
#: sssd-ldap.5.xml:958
2389
msgid "Specifies the file that contains the client's key."
2392
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2393
#: sssd-ldap.5.xml:967
2394
msgid "ldap_tls_cipher_suite (string)"
2397
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2398
#: sssd-ldap.5.xml:970
2400
"Specifies acceptable cipher suites. Typically this is a colon sperated "
2401
"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
2402
"<manvolnum>5</manvolnum></citerefentry> for format."
2405
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2406
#: sssd-ldap.5.xml:983
2407
msgid "ldap_id_use_start_tls (boolean)"
2410
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2411
#: sssd-ldap.5.xml:986
2413
"Specifies that the id_provider connection must also use <systemitem class="
2414
"\"protocol\">tls</systemitem> to protect the channel."
2417
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2418
#: sssd-ldap.5.xml:996
2419
msgid "ldap_sasl_mech (string)"
2422
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2423
#: sssd-ldap.5.xml:999
2425
"Specify the SASL mechanism to use. Currently only GSSAPI is tested and "
2429
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2430
#: sssd-ldap.5.xml:1003 sssd-ldap.5.xml:1131
2431
msgid "Default: none"
2434
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2435
#: sssd-ldap.5.xml:1009
2436
msgid "ldap_sasl_authid (string)"
2439
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2440
#: sssd-ldap.5.xml:1012
2442
"Specify the SASL authorization id to use. When GSSAPI is used, this "
2443
"represents the Kerberos principal used for authentication to the directory."
2446
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2447
#: sssd-ldap.5.xml:1017
2448
msgid "Default: host/machine.fqdn@REALM"
2451
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2452
#: sssd-ldap.5.xml:1023
2453
msgid "ldap_krb5_keytab (string)"
2456
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2457
#: sssd-ldap.5.xml:1026
2458
msgid "Specify the keytab to use when using SASL/GSSAPI."
2461
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2462
#: sssd-ldap.5.xml:1029
2463
msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
2466
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2467
#: sssd-ldap.5.xml:1035
2468
msgid "ldap_krb5_init_creds (boolean)"
2471
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2472
#: sssd-ldap.5.xml:1038
2474
"Specifies that the id_provider should init Kerberos credentials (TGT). This "
2475
"action is performed only if SASL is used and the mechanism selected is "
2479
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2480
#: sssd-ldap.5.xml:1050
2481
msgid "ldap_krb5_ticket_lifetime (integer)"
2484
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2485
#: sssd-ldap.5.xml:1053
2486
msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
2489
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2490
#: sssd-ldap.5.xml:1057
2491
msgid "Default: 86400 (24 hours)"
2494
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2495
#: sssd-ldap.5.xml:1063 sssd-krb5.5.xml:74
2496
msgid "krb5_server (string)"
2499
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2500
#: sssd-ldap.5.xml:1066 sssd-krb5.5.xml:77
2502
"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
2503
"which SSSD should connect in the order of preference. For more information "
2504
"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
2505
"An optional port number (preceded by a colon) may be appended to the "
2506
"addresses or hostnames. If empty, service discovery is enabled - for more "
2507
"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
2510
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2511
#: sssd-ldap.5.xml:1078 sssd-krb5.5.xml:89
2513
"When using service discovery for KDC or kpasswd servers, SSSD first searches "
2514
"for DNS entries that specify _udp as the protocol and falls back to _tcp if "
2518
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2519
#: sssd-ldap.5.xml:1083 sssd-krb5.5.xml:94
2521
"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
2522
"While the legacy name is recognized for the time being, users are advised to "
2523
"migrate their config files to use <quote>krb5_server</quote> instead."
2526
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2527
#: sssd-ldap.5.xml:1092 sssd-ipa.5.xml:165 sssd-krb5.5.xml:103
2528
msgid "krb5_realm (string)"
2531
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2532
#: sssd-ldap.5.xml:1095
2533
msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
2536
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2537
#: sssd-ldap.5.xml:1098
2538
msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
2541
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2542
#: sssd-ldap.5.xml:1104
2543
msgid "ldap_pwd_policy (string)"
2546
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2547
#: sssd-ldap.5.xml:1107
2549
"Select the policy to evaluate the password expiration on the client side. "
2550
"The following values are allowed:"
2553
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2554
#: sssd-ldap.5.xml:1112
2556
"<emphasis>none</emphasis> - No evaluation on the client side. This option "
2557
"cannot disable server-side password policies."
2560
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2561
#: sssd-ldap.5.xml:1117
2563
"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
2564
"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
2565
"evaluate if the password has expired. Note that the current version of sssd "
2566
"cannot update this attribute during a password change."
2569
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2570
#: sssd-ldap.5.xml:1125
2572
"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
2573
"to determine if the password has expired. Use chpass_provider=krb5 to update "
2574
"these attributes when the password is changed."
2577
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2578
#: sssd-ldap.5.xml:1137
2579
msgid "ldap_referrals (boolean)"
2582
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2583
#: sssd-ldap.5.xml:1140
2584
msgid "Specifies whether automatic referral chasing should be enabled."
2587
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2588
#: sssd-ldap.5.xml:1144
2590
"Please note that sssd only supports referral chasing when it is compiled "
2591
"with OpenLDAP version 2.4.13 or higher."
2594
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2595
#: sssd-ldap.5.xml:1155
2596
msgid "ldap_dns_service_name (string)"
2599
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2600
#: sssd-ldap.5.xml:1158
2601
msgid "Specifies the service name to use when service discovery is enabled."
2604
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2605
#: sssd-ldap.5.xml:1162
2606
msgid "Default: ldap"
2609
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2610
#: sssd-ldap.5.xml:1168
2611
msgid "ldap_chpass_dns_service_name (string)"
2614
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2615
#: sssd-ldap.5.xml:1171
2617
"Specifies the service name to use to find an LDAP server which allows "
2618
"password changes when service discovery is enabled."
2621
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2622
#: sssd-ldap.5.xml:1176
2623
msgid "Default: not set, i.e. service discovery is disabled"
2626
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2627
#: sssd-ldap.5.xml:1182
2628
msgid "ldap_access_filter (string)"
2631
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2632
#: sssd-ldap.5.xml:1185
2634
"If using access_provider = ldap, this option is mandatory. It specifies an "
2635
"LDAP search filter criteria that must be met for the user to be granted "
2636
"access on this host. If access_provider = ldap and this option is not set, "
2637
"it will result in all users being denied access. Use access_provider = allow "
2638
"to change this default behavior."
2641
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2642
#: sssd-ldap.5.xml:1195
2646
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
2647
#: sssd-ldap.5.xml:1198
2650
"access_provider = ldap\n"
2651
"ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com\n"
2655
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2656
#: sssd-ldap.5.xml:1202
2658
"This example means that access to this host is restricted to members of the "
2659
"\"allowedusers\" group in ldap."
2662
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2663
#: sssd-ldap.5.xml:1207
2665
"Offline caching for this feature is limited to determining whether the "
2666
"user's last online login was granted access permission. If they were granted "
2667
"access during their last login, they will continue to be granted access "
2668
"while offline and vice-versa."
2671
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2672
#: sssd-ldap.5.xml:1215 sssd-ldap.5.xml:1256
2673
msgid "Default: Empty"
2676
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2677
#: sssd-ldap.5.xml:1221
2678
msgid "ldap_account_expire_policy (string)"
2681
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2682
#: sssd-ldap.5.xml:1224
2684
"With this option a client side evaluation of access control attributes can "
2688
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2689
#: sssd-ldap.5.xml:1228
2691
"Please note that it is always recommended to use server side access control, "
2692
"i.e. the LDAP server should deny the bind request with a suitable error code "
2693
"even if the password is correct."
2696
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2697
#: sssd-ldap.5.xml:1235
2698
msgid "The following values are allowed:"
2701
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2702
#: sssd-ldap.5.xml:1238
2704
"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
2705
"determine if the account is expired."
2708
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2709
#: sssd-ldap.5.xml:1243
2711
"<emphasis>ad</emphasis>: use the value of the 32bit field "
2712
"ldap_user_ad_user_account_control and allow access if the second bit is not "
2713
"set. If the attribute is missing access is granted. Also the expiration time "
2714
"of the account is checked."
2717
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2718
#: sssd-ldap.5.xml:1250
2720
"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
2721
"emphasis>: use the value of ldap_ns_account_lock to check if access is "
2725
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2726
#: sssd-ldap.5.xml:1262
2727
msgid "ldap_access_order (string)"
2730
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2731
#: sssd-ldap.5.xml:1265
2732
msgid "Comma separated list of access control options. Allowed values are:"
2735
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2736
#: sssd-ldap.5.xml:1269
2737
msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
2740
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2741
#: sssd-ldap.5.xml:1272
2742
msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
2745
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2746
#: sssd-ldap.5.xml:1276
2748
"<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
2749
"to determine access"
2752
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2753
#: sssd-ldap.5.xml:1281
2754
msgid "Default: filter"
2757
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2758
#: sssd-ldap.5.xml:1284
2760
"Please note that it is a configuration error if a value is used more than "
2764
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2765
#: sssd-ldap.5.xml:1291
2766
msgid "ldap_deref (string)"
2769
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2770
#: sssd-ldap.5.xml:1294
2772
"Specifies how alias dereferencing is done when performing a search. The "
2773
"following options are allowed:"
2776
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2777
#: sssd-ldap.5.xml:1299
2778
msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
2781
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2782
#: sssd-ldap.5.xml:1303
2784
"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
2785
"the base object, but not in locating the base object of the search."
2788
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2789
#: sssd-ldap.5.xml:1308
2791
"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
2792
"the base object of the search."
2795
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2796
#: sssd-ldap.5.xml:1313
2798
"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
2799
"in locating the base object of the search."
2802
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2803
#: sssd-ldap.5.xml:1318
2805
"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
2809
#. type: Content of: <reference><refentry><refsect1><para>
2810
#: sssd-ldap.5.xml:51
2812
"All of the common configuration options that apply to SSSD domains also "
2813
"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section "
2814
"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
2815
"manvolnum> </citerefentry> manual page for full details. <placeholder type="
2816
"\"variablelist\" id=\"0\"/>"
2819
#. type: Content of: <reference><refentry><refsect1><title>
2820
#: sssd-ldap.5.xml:1330
2821
msgid "ADVANCED OPTIONS"
2824
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2825
#: sssd-ldap.5.xml:1337
2826
msgid "ldap_netgroup_search_base (string)"
2829
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2830
#: sssd-ldap.5.xml:1340
2832
"An optional base DN to restrict netgroup searches to a specific subtree."
2835
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2836
#: sssd-ldap.5.xml:1344 sssd-ldap.5.xml:1358 sssd-ldap.5.xml:1372
2837
msgid "Default: the value of <emphasis>ldap_search_base</emphasis>"
2840
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2841
#: sssd-ldap.5.xml:1351
2842
msgid "ldap_user_search_base (string)"
2845
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2846
#: sssd-ldap.5.xml:1354
2847
msgid "An optional base DN to restrict user searches to a specific subtree."
2850
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2851
#: sssd-ldap.5.xml:1365
2852
msgid "ldap_group_search_base (string)"
2855
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2856
#: sssd-ldap.5.xml:1368
2857
msgid "An optional base DN to restrict group searches to a specific subtree."
2860
#. type: Content of: <reference><refentry><refsect1><para>
2861
#: sssd-ldap.5.xml:1332
2863
"These options are supported by LDAP domains, but they should be used with "
2864
"caution. Please include them in your configuration only if you know what you "
2865
"are doing. <placeholder type=\"variablelist\" id=\"0\"/>"
2868
#. type: Content of: <reference><refentry><refsect1><para>
2869
#: sssd-ldap.5.xml:1388
2871
"The following example assumes that SSSD is correctly configured and LDAP is "
2872
"set to one of the domains in the <replaceable>[domains]</replaceable> "
2876
#. type: Content of: <reference><refentry><refsect1><para><programlisting>
2877
#: sssd-ldap.5.xml:1394
2881
" id_provider = ldap\n"
2882
" auth_provider = ldap\n"
2883
" ldap_uri = ldap://ldap.mydomain.org\n"
2884
" ldap_search_base = dc=mydomain,dc=org\n"
2885
" ldap_tls_reqcert = demand\n"
2886
" cache_credentials = true\n"
2887
" enumerate = true\n"
2890
#. type: Content of: <reference><refentry><refsect1><para>
2891
#: sssd-ldap.5.xml:1393 sssd-simple.5.xml:134 sssd-ipa.5.xml:196
2892
#: sssd-krb5.5.xml:414
2893
msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
2896
#. type: Content of: <reference><refentry><refsect1><title>
2897
#: sssd-ldap.5.xml:1407 sssd_krb5_locator_plugin.8.xml:61
2901
#. type: Content of: <reference><refentry><refsect1><para>
2902
#: sssd-ldap.5.xml:1409
2904
"The descriptions of some of the configuration options in this manual page "
2905
"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
2906
"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 "
2910
#. type: Content of: <reference><refentry><refsect1><para>
2911
#: sssd-ldap.5.xml:1420
2913
"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
2914
"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
2915
"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
2916
"<refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </citerefentry>"
2919
#. type: Content of: <refentryinfo>
2920
#: pam_sss.8.xml:8 include/upstream.xml:2
2922
"<productname>SSSD</productname> <orgname>The SSSD upstream - http://"
2923
"fedorahosted.org/sssd</orgname>"
2926
#. type: Content of: <reference><refentry><refnamediv><refname>
2927
#: pam_sss.8.xml:13 pam_sss.8.xml:18
2931
#. type: Content of: <reference><refentry><refnamediv><refpurpose>
2933
msgid "PAM module for SSSD"
2936
#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
2939
"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
2940
"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
2941
"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
2942
"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
2946
#. type: Content of: <reference><refentry><refsect1><para>
2949
"<command>pam_sss.so</command> is the PAM interface to the System Security "
2950
"Services daemon (SSSD). Errors and results are logged through <command>syslog"
2951
"(3)</command> with the LOG_AUTHPRIV facility."
2954
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
2956
msgid "<option>forward_pass</option>"
2959
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
2962
"If <option>forward_pass</option> is set the entered password is put on the "
2963
"stack for other PAM modules to use."
2966
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
2968
msgid "<option>use_first_pass</option>"
2971
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
2974
"The argument use_first_pass forces the module to use a previous stacked "
2975
"modules password and will never prompt the user - if no password is "
2976
"available or the password is not appropriate, the user will be denied access."
2979
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
2981
msgid "<option>use_authtok</option>"
2984
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
2987
"When password changing enforce the module to set the new password to the one "
2988
"provided by a previously stacked password module."
2991
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
2993
msgid "<option>retry=N</option>"
2996
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
2999
"If specified the user is asked another N times for a password if "
3000
"authentication fails. Default is 0."
3003
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3006
"Please note that this option might not work as expected if the application "
3007
"calling PAM handles the user dialog on its own. A typical example is "
3008
"<command>sshd</command> with <option>PasswordAuthentication</option>."
3011
#. type: Content of: <reference><refentry><refsect1><title>
3013
msgid "MODULE TYPES PROVIDED"
3016
#. type: Content of: <reference><refentry><refsect1><para>
3017
#: pam_sss.8.xml:100
3019
"All module types (<option>account</option>, <option>auth</option>, "
3020
"<option>password</option> and <option>session</option>) are provided."
3023
#. type: Content of: <reference><refentry><refsect1><title>
3024
#: pam_sss.8.xml:106
3028
#. type: Content of: <reference><refentry><refsect1><para>
3029
#: pam_sss.8.xml:107
3031
"If a password reset by root fails, because the corresponding SSSD provider "
3032
"does not support password resets, an individual message can be displayed. "
3033
"This message can e.g. contain instructions about how to reset a password."
3036
#. type: Content of: <reference><refentry><refsect1><para>
3037
#: pam_sss.8.xml:112
3039
"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
3040
"filename> where LOC stands for a locale string returned by <citerefentry> "
3041
"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </"
3042
"citerefentry>. If there is no matching file the content of "
3043
"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be "
3044
"the owner of the files and only root may have read and write permissions "
3045
"while all other users must have only read permisssions."
3048
#. type: Content of: <reference><refentry><refsect1><para>
3049
#: pam_sss.8.xml:122
3051
"These files are searched in the directory <filename>/etc/sssd/customize/"
3052
"DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
3056
#. type: Content of: <reference><refentry><refsect1><para>
3057
#: pam_sss.8.xml:130
3059
"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
3060
"manvolnum> </citerefentry>"
3063
#. type: Content of: <reference><refentry><refnamediv><refname>
3064
#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15
3065
msgid "sssd_krb5_locator_plugin"
3068
#. type: Content of: <reference><refentry><refsect1><para>
3069
#: sssd_krb5_locator_plugin.8.xml:22
3071
"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is "
3072
"used by the Kerberos provider of <citerefentry> <refentrytitle>sssd</"
3073
"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> to tell the Kerberos "
3074
"libraries what Realm and which KDC to use. Typically this is done in "
3075
"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</"
3076
"manvolnum> </citerefentry> which is always read by the Kerberos libraries. "
3077
"To simplyfy the configuration the Realm and the KDC can be defined in "
3078
"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
3079
"manvolnum> </citerefentry> as described in <citerefentry> "
3080
"<refentrytitle>sssd-krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </"
3084
#. type: Content of: <reference><refentry><refsect1><para>
3085
#: sssd_krb5_locator_plugin.8.xml:48
3087
"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
3088
"</citerefentry> puts the Realm and the name or IP address of the KDC into "
3089
"the environment variables SSSD_KRB5_REALM and SSSD_KRB5_KDC respectively. "
3090
"When <command>sssd_krb5_locator_plugin</command> is called by the kerberos "
3091
"libraries it reads and evaluates these variable and returns them to the "
3095
#. type: Content of: <reference><refentry><refsect1><para>
3096
#: sssd_krb5_locator_plugin.8.xml:63
3098
"Not all Kerberos implementations support the use of plugins. If "
3099
"<command>sssd_krb5_locator_plugin</command> is not available on your system "
3100
"you have to edit /etc/krb5.conf to reflect your Kerberos setup."
3103
#. type: Content of: <reference><refentry><refsect1><para>
3104
#: sssd_krb5_locator_plugin.8.xml:69
3106
"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value "
3107
"debug messages will be sent to stderr."
3110
#. type: Content of: <reference><refentry><refsect1><para>
3111
#: sssd_krb5_locator_plugin.8.xml:77
3113
"<citerefentry> <refentrytitle>sssd-krb5</refentrytitle><manvolnum>5</"
3114
"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd.conf</"
3115
"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
3116
"<refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </citerefentry>"
3119
#. type: Content of: <reference><refentry><refnamediv><refname>
3120
#: sssd-simple.5.xml:10 sssd-simple.5.xml:16
3124
#. type: Content of: <reference><refentry><refnamediv><refpurpose>
3125
#: sssd-simple.5.xml:17
3126
msgid "the configuration file for SSSD's 'simple' access-control provider"
3129
#. type: Content of: <reference><refentry><refsect1><para>
3130
#: sssd-simple.5.xml:24
3132
"This manual page describes the configuration of the simple access-control "
3133
"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> "
3134
"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, "
3135
"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> "
3136
"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
3137
"citerefentry> manual page."
3140
#. type: Content of: <reference><refentry><refsect1><para>
3141
#: sssd-simple.5.xml:38
3143
"The simple access provider grants or denies access based on an access or "
3144
"deny list of user or group names. The following rules apply:"
3147
#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
3148
#: sssd-simple.5.xml:43
3149
msgid "If all lists are empty, access is granted"
3152
#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
3153
#: sssd-simple.5.xml:47
3155
"If any list is provided, the order of evaluation is allow,deny. This means "
3156
"that any matching deny rule will supersede any matched allow rule."
3159
#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
3160
#: sssd-simple.5.xml:54
3162
"If either or both \"allow\" lists are provided, all users are denied unless "
3163
"they appear in the list."
3166
#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
3167
#: sssd-simple.5.xml:60
3169
"If only \"deny\" lists are provided, all users are granted access unless "
3170
"they appear in the list."
3173
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
3174
#: sssd-simple.5.xml:78
3175
msgid "simple_allow_users (string)"
3178
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3179
#: sssd-simple.5.xml:81
3180
msgid "Comma separated list of users who are allowed to log in."
3183
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
3184
#: sssd-simple.5.xml:88
3185
msgid "simple_deny_users (string)"
3188
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3189
#: sssd-simple.5.xml:91
3190
msgid "Comma separated list of users who are explicitly denied access."
3193
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
3194
#: sssd-simple.5.xml:97
3195
msgid "simple_allow_groups (string)"
3198
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3199
#: sssd-simple.5.xml:100
3201
"Comma separated list of groups that are allowed to log in. This applies only "
3202
"to groups within this SSSD domain. Local groups are not evaluated."
3205
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
3206
#: sssd-simple.5.xml:108
3207
msgid "simple_deny_groups (string)"
3210
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3211
#: sssd-simple.5.xml:111
3213
"Comma separated list of groups that are explicitly denied access. This "
3214
"applies only to groups within this SSSD domain. Local groups are not "
3218
#. type: Content of: <reference><refentry><refsect1><para>
3219
#: sssd-simple.5.xml:70 sssd-ipa.5.xml:62
3221
"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
3222
"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
3223
"citerefentry> manual page for details on the configuration of an SSSD "
3224
"domain. <placeholder type=\"variablelist\" id=\"0\"/>"
3227
#. type: Content of: <reference><refentry><refsect1><para>
3228
#: sssd-simple.5.xml:120
3230
"Please note that it is an configuration error if both, simple_allow_users "
3231
"and simple_deny_users, are defined."
3234
#. type: Content of: <reference><refentry><refsect1><para>
3235
#: sssd-simple.5.xml:128
3237
"The following example assumes that SSSD is correctly configured and example."
3238
"com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
3239
"This examples shows only the simple access provider-specific options."
3242
#. type: Content of: <reference><refentry><refsect1><para><programlisting>
3243
#: sssd-simple.5.xml:135
3246
" [domain/example.com]\n"
3247
" access_provider = simple\n"
3248
" simple_allow_users = user1, user2\n"
3251
#. type: Content of: <reference><refentry><refsect1><para>
3252
#: sssd-simple.5.xml:145
3254
"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
3255
"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd</"
3256
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>"
3259
#. type: Content of: <reference><refentry><refnamediv><refname>
3260
#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16
3264
#. type: Content of: <reference><refentry><refsect1><para>
3265
#: sssd-ipa.5.xml:23
3267
"This manual page describes the configuration of the IPA provider for "
3268
"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
3269
"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE "
3270
"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</"
3271
"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page."
3274
#. type: Content of: <reference><refentry><refsect1><para>
3275
#: sssd-ipa.5.xml:36
3277
"The IPA provider is a back end used to connect to an IPA server. (Refer to "
3278
"the freeipa.org web site for information about IPA servers.) This provider "
3279
"requires that the machine be joined to the IPA domain; configuration is "
3280
"almost entirely self-discovered and obtained directly from the server."
3283
#. type: Content of: <reference><refentry><refsect1><para>
3284
#: sssd-ipa.5.xml:43
3286
"The IPA provider accepts the same options used by the <citerefentry> "
3287
"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
3288
"citerefentry> identity provider and the <citerefentry> <refentrytitle>sssd-"
3289
"krb5</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> authentication "
3290
"provider. However, it is neither necessary nor recommended to set these "
3291
"options. IPA provider can also be used as an access and chpass provider. As "
3292
"an access provider it uses HBAC (host-based access control) rules. Please "
3293
"refer to freeipa.org for more information about HBAC. No configuration of "
3294
"access provider is required on the client side."
3297
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
3298
#: sssd-ipa.5.xml:69
3299
msgid "ipa_domain (string)"
3302
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3303
#: sssd-ipa.5.xml:72
3305
"Specifies the name of the IPA domain. This is optional. If not provided, "
3306
"the configuration domain name is used."
3309
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
3310
#: sssd-ipa.5.xml:80
3311
msgid "ipa_server (string)"
3314
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3315
#: sssd-ipa.5.xml:83
3317
"The list of IP addresses or hostnames of the IPA servers to which SSSD "
3318
"should connect in the order of preference. For more information on failover "
3319
"and server redundancy, see the <quote>FAILOVER</quote> section. This is "
3320
"optional if autodiscovery is enabled. For more information on service "
3321
"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
3324
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
3325
#: sssd-ipa.5.xml:96
3326
msgid "ipa_hostname (string)"
3329
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3330
#: sssd-ipa.5.xml:99
3332
"Optional. May be set on machines where the hostname(5) does not reflect the "
3333
"fully qualified name used in the IPA domain to identify this host."
3336
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
3337
#: sssd-ipa.5.xml:107
3338
msgid "ipa_dyndns_update (boolean)"
3341
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3342
#: sssd-ipa.5.xml:110
3344
"Optional. This option tells SSSD to automatically update the DNS server "
3345
"built into FreeIPA v2 with the IP address of this client."
3348
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
3349
#: sssd-ipa.5.xml:121
3350
msgid "ipa_dyndns_iface (string)"
3353
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3354
#: sssd-ipa.5.xml:124
3356
"Optional. Applicable only when ipa_dyndns_update is true. Choose the "
3357
"interface whose IP address should be used for dynamic DNS updates."
3360
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3361
#: sssd-ipa.5.xml:129
3362
msgid "Default: Use the IP address of the IPA LDAP connection"
3365
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
3366
#: sssd-ipa.5.xml:135
3367
msgid "ipa_hbac_search_base (string)"
3370
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3371
#: sssd-ipa.5.xml:138
3372
msgid "Optional. Use the given string as search base for HBAC related objects."
3375
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3376
#: sssd-ipa.5.xml:142
3377
msgid "Default: Use base DN"
3380
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
3381
#: sssd-ipa.5.xml:148 sssd-krb5.5.xml:229
3382
msgid "krb5_validate (boolean)"
3385
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3386
#: sssd-ipa.5.xml:151 sssd-krb5.5.xml:232
3388
"Verify with the help of krb5_keytab that the TGT obtained has not been "
3392
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3393
#: sssd-ipa.5.xml:158
3395
"Note that this default differs from the traditional Kerberos provider back "
3399
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3400
#: sssd-ipa.5.xml:168
3402
"The name of the Kerberos realm. This is optional and defaults to the value "
3403
"of <quote>ipa_domain</quote>."
3406
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3407
#: sssd-ipa.5.xml:172
3409
"The name of the Kerberos realm has a special meaning in IPA - it is "
3410
"converted into the base DN to use for performing LDAP operations."
3413
#. type: Content of: <reference><refentry><refsect1><para>
3414
#: sssd-ipa.5.xml:190
3416
"The following example assumes that SSSD is correctly configured and example."
3417
"com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
3418
"This examples shows only the ipa provider-specific options."
3421
#. type: Content of: <reference><refentry><refsect1><para><programlisting>
3422
#: sssd-ipa.5.xml:197
3425
" [domain/example.com]\n"
3426
" id_provider = ipa\n"
3427
" ipa_server = ipaserver.example.com\n"
3428
" ipa_hostname = myhost.example.com\n"
3431
#. type: Content of: <reference><refentry><refsect1><para>
3432
#: sssd-ipa.5.xml:208
3434
"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
3435
"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
3436
"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
3437
"<refentrytitle>sssd-krb5</refentrytitle><manvolnum>5</manvolnum> </"
3438
"citerefentry>, <citerefentry> <refentrytitle>sssd</"
3439
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>"
3442
#. type: Content of: <reference><refentry><refnamediv><refname>
3443
#: sssd.8.xml:10 sssd.8.xml:15
3447
#. type: Content of: <reference><refentry><refnamediv><refpurpose>
3449
msgid "System Security Services Daemon"
3452
#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
3455
"<command>sssd</command> <arg choice='opt'> <replaceable>options</"
3456
"replaceable> </arg>"
3459
#. type: Content of: <reference><refentry><refsect1><para>
3462
"<command>SSSD</command> provides a set of daemons to manage access to remote "
3463
"directories and authentication mechanisms. It provides an NSS and PAM "
3464
"interface toward the system and a pluggable backend system to connect to "
3465
"multiple different account sources as well as D-Bus interface. It is also "
3466
"the basis to provide client auditing and policy services for projects like "
3467
"FreeIPA. It provides a more robust database to store local users as well as "
3468
"extended user data."
3471
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3474
"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</"
3478
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3481
"Debug level to run the daemon with. 0 is the default as well as the lowest "
3482
"allowed value, 10 is the most verbose mode. This setting overrides the "
3483
"settings from config file. This parameter implies <option>-i</option>."
3486
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3488
msgid "<option>-f</option>,<option>--debug-to-files</option>"
3491
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3494
"Send the debug output to files instead of stderr. By default, the log files "
3495
"are stored in <filename>/var/log/sssd</filename> and there are separate log "
3496
"files for every SSSD service and domain."
3499
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3501
msgid "<option>-D</option>,<option>--daemon</option>"
3504
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3506
msgid "Become a daemon after starting up."
3509
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3511
msgid "<option>-i</option>,<option>--interactive</option>"
3514
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3516
msgid "Run in the foreground, don't become a daemon."
3519
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3521
msgid "<option>-c</option>,<option>--config</option>"
3524
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3527
"Specify a non-default config file. The default is <filename>/etc/sssd/sssd."
3528
"conf</filename>. For reference on the config file syntax and options, "
3529
"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> "
3530
"<manvolnum>5</manvolnum> </citerefentry> manual page."
3533
#. type: Content of: <reference><refentry><refsect1><title>
3538
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3540
msgid "SIGTERM/SIGINT"
3543
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3546
"Informs the SSSD to gracefully terminate all of its child processes and then "
3547
"shut down the monitor."
3550
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3555
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3558
"Tells the SSSD to stop writing to its current debug file descriptors and to "
3559
"close and reopen them. This is meant to facilitate log rolling with programs "
3563
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3568
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3571
"Tells the SSSD to simulate offline operation for one minute. This is mostly "
3572
"useful for testing purposes."
3575
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3580
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3583
"Tells the SSSD to go online immediately. This is mostly useful for testing "
3587
#. type: Content of: <reference><refentry><refsect1><para>
3590
"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
3591
"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupadd</"
3592
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
3593
"<refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</manvolnum> </"
3594
"citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</"
3595
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
3596
"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </"
3597
"citerefentry>, <citerefentry> <refentrytitle>sss_userdel</"
3598
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
3599
"<refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum> </"
3603
#. type: Content of: <reference><refentry><refnamediv><refname>
3604
#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15
3605
msgid "sss_obfuscate"
3608
#. type: Content of: <reference><refentry><refnamediv><refpurpose>
3609
#: sss_obfuscate.8.xml:16
3610
msgid "obfuscate a clear text password"
3613
#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
3614
#: sss_obfuscate.8.xml:21
3616
"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</"
3617
"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</"
3618
"replaceable></arg>"
3621
#. type: Content of: <reference><refentry><refsect1><para>
3622
#: sss_obfuscate.8.xml:32
3624
"<command>sss_obfuscate</command> converts a given password into human-"
3625
"unreadable format and places it into appropriate domain section of the SSSD "
3629
#. type: Content of: <reference><refentry><refsect1><para>
3630
#: sss_obfuscate.8.xml:37
3632
"The cleartext password is read from standard input or entered "
3633
"interactively. The obfuscated password is put into "
3634
"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the "
3635
"<quote>ldap_default_authtok_type</quote> parameter is set to "
3636
"<quote>obfuscated_password</quote>. Refer to <citerefentry> "
3637
"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
3638
"citerefentry> for more details on these parameters."
3641
#. type: Content of: <reference><refentry><refsect1><para>
3642
#: sss_obfuscate.8.xml:49
3644
"Please note that obfuscating the password provides <emphasis>no real "
3645
"security benefit</emphasis> as it is still possible for an attacker to "
3646
"reverse-engineer the password back. Using better authentication mechanisms "
3647
"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> "
3651
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3652
#: sss_obfuscate.8.xml:63
3653
msgid "<option>-s</option>,<option>--stdin</option>"
3656
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3657
#: sss_obfuscate.8.xml:67
3658
msgid "The password to obfuscate will be read from standard input."
3661
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3662
#: sss_obfuscate.8.xml:74
3664
"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</"
3668
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3669
#: sss_obfuscate.8.xml:79
3671
"The SSSD domain to use the password in. The default name is <quote>default</"
3675
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3676
#: sss_obfuscate.8.xml:86
3678
"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>"
3681
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3682
#: sss_obfuscate.8.xml:91
3683
msgid "Read the config file specified by the positional parameter."
3686
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3687
#: sss_obfuscate.8.xml:95
3688
msgid "Default: <filename>/etc/sssd/sssd.conf</filename>"
3691
#. type: Content of: <reference><refentry><refsect1><para>
3692
#: sss_obfuscate.8.xml:105
3694
"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
3695
"manvolnum> </citerefentry>"
3698
#. type: Content of: <reference><refentry><refnamediv><refname>
3699
#: sss_useradd.8.xml:10 sss_useradd.8.xml:15
3703
#. type: Content of: <reference><refentry><refnamediv><refpurpose>
3704
#: sss_useradd.8.xml:16
3705
msgid "create a new user"
3708
#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
3709
#: sss_useradd.8.xml:21
3711
"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</"
3712
"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></"
3716
#. type: Content of: <reference><refentry><refsect1><para>
3717
#: sss_useradd.8.xml:32
3719
"<command>sss_useradd</command> creates a new user account using the values "
3720
"specified on the command line plus the default values from the system."
3723
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3724
#: sss_useradd.8.xml:43
3726
"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>"
3729
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3730
#: sss_useradd.8.xml:48
3732
"Set the UID of the user to the value of <replaceable>UID</replaceable>. If "
3733
"not given, it is chosen automatically."
3736
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3737
#: sss_useradd.8.xml:55 sss_usermod.8.xml:43
3739
"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</"
3743
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3744
#: sss_useradd.8.xml:60 sss_usermod.8.xml:48
3746
"Any text string describing the user. Often used as the field for the user's "
3750
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3751
#: sss_useradd.8.xml:67 sss_usermod.8.xml:55
3753
"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</"
3757
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3758
#: sss_useradd.8.xml:72
3760
"The home directory of the user account. The default is to append the "
3761
"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use "
3762
"that as the home directory. The base that is prepended before "
3763
"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/"
3764
"baseDirectory</quote> setting in sssd.conf."
3767
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3768
#: sss_useradd.8.xml:82 sss_usermod.8.xml:66
3770
"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>"
3773
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3774
#: sss_useradd.8.xml:87
3776
"The user's login shell. The default is currently <filename>/bin/bash</"
3777
"filename>. The default can be changed with <quote>user_defaults/"
3778
"defaultShell</quote> setting in sssd.conf."
3781
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3782
#: sss_useradd.8.xml:96
3784
"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</"
3788
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3789
#: sss_useradd.8.xml:101
3790
msgid "A list of existing groups this user is also a member of."
3793
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3794
#: sss_useradd.8.xml:107
3795
msgid "<option>-m</option>,<option>--create-home</option>"
3798
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3799
#: sss_useradd.8.xml:111
3801
"Create the user's home directory if it does not exist. The files and "
3802
"directories contained in the skeleton directory (which can be defined with "
3803
"the -k option or in the config file) will be copied to the home directory."
3806
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3807
#: sss_useradd.8.xml:121
3808
msgid "<option>-M</option>,<option>--no-create-home</option>"
3811
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3812
#: sss_useradd.8.xml:125
3814
"Do not create the user's home directory. Overrides configuration settings."
3817
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3818
#: sss_useradd.8.xml:132
3820
"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</"
3824
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3825
#: sss_useradd.8.xml:137
3827
"The skeleton directory, which contains files and directories to be copied in "
3828
"the user's home directory, when the home directory is created by "
3829
"<command>sss_useradd</command>."
3832
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3833
#: sss_useradd.8.xml:143
3835
"This option is only valid if the <option>-m</option> (or <option>--create-"
3836
"home</option>) option is specified, or creation of home directories is set "
3837
"to TRUE in the configuration."
3840
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3841
#: sss_useradd.8.xml:152 sss_usermod.8.xml:124
3843
"<option>-Z</option>,<option>--selinux-user</option> "
3844
"<replaceable>SELINUX_USER</replaceable>"
3847
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3848
#: sss_useradd.8.xml:157
3850
"The SELinux user for the user's login. If not specified, the system default "
3854
#. type: Content of: <reference><refentry><refsect1><para>
3855
#: sss_useradd.8.xml:169
3857
"<citerefentry> <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</"
3858
"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</"
3859
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
3860
"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </"
3861
"citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</"
3862
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
3863
"<refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> </"
3864
"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
3865
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
3868
#. type: Content of: <reference><refentry><refnamediv><refname>
3869
#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16
3873
#. type: Content of: <reference><refentry><refsect1><para>
3874
#: sssd-krb5.5.xml:23
3876
"This manual page describes the configuration of the Kerberos 5 "
3877
"authentication backend for <citerefentry> <refentrytitle>sssd</"
3878
"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed "
3879
"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of "
3880
"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
3881
"manvolnum> </citerefentry> manual page"
3884
#. type: Content of: <reference><refentry><refsect1><para>
3885
#: sssd-krb5.5.xml:36
3887
"The Kerberos 5 authentication backend contains auth and chpass providers. It "
3888
"must be paired with identity provider in order to function properly (for "
3889
"example, id_provider = ldap). Some information required by the Kerberos 5 "
3890
"authentication backend must be provided by the identity provider, such as "
3891
"the user's Kerberos Principal Name (UPN). The configuration of the identity "
3892
"provider should have an entry to specify the UPN. Please refer to the man "
3893
"page for the applicable identity provider for details on how to configure "
3897
#. type: Content of: <reference><refentry><refsect1><para>
3898
#: sssd-krb5.5.xml:47
3900
"This backend also provides access control based on the .k5login file in the "
3901
"home directory of the user. See <citerefentry> <refentrytitle>.k5login</"
3902
"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. "
3903
"Please note that an empty .k5login file will deny all access to this user. "
3904
"To activate this feature use 'access_provider = krb5' in your sssd "
3908
#. type: Content of: <reference><refentry><refsect1><para>
3909
#: sssd-krb5.5.xml:55
3911
"In the case where the UPN is not available in the identity backend "
3912
"<command>sssd</command> will construct a UPN using the format "
3913
"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>."
3916
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3917
#: sssd-krb5.5.xml:106
3919
"The name of the Kerberos realm. This option is required and must be "
3923
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
3924
#: sssd-krb5.5.xml:113
3925
msgid "krb5_kpasswd (string)"
3928
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3929
#: sssd-krb5.5.xml:116
3931
"If the change password service is not running on the KDC alternative servers "
3932
"can be defined here. An optional port number (preceded by a colon) may be "
3933
"appended to the addresses or hostnames."
3936
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3937
#: sssd-krb5.5.xml:122
3939
"For more information on failover and server redundancy, see the "
3940
"<quote>FAILOVER</quote> section. Please note that even if there are no more "
3941
"kpasswd servers to try the back end is not switch to offline if "
3942
"authentication against the KDC is still possible."
3945
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3946
#: sssd-krb5.5.xml:129
3947
msgid "Default: Use the KDC"
3950
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
3951
#: sssd-krb5.5.xml:135
3952
msgid "krb5_ccachedir (string)"
3955
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3956
#: sssd-krb5.5.xml:138
3958
"Directory to store credential caches. All the substitution sequences of "
3959
"krb5_ccname_template can be used here, too, except %d and %P. If the "
3960
"directory does not exist it will be created. If %u, %U, %p or %h are used a "
3961
"private directory belonging to the user is created. Otherwise a public "
3962
"directory with restricted deletion flag (aka sticky bit, see <citerefentry> "
3963
"<refentrytitle>chmod</refentrytitle> <manvolnum>1</manvolnum> </"
3964
"citerefentry> for details) is created."
3967
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3968
#: sssd-krb5.5.xml:151
3969
msgid "Default: /tmp"
3972
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
3973
#: sssd-krb5.5.xml:157
3974
msgid "krb5_ccname_template (string)"
3977
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
3978
#: sssd-krb5.5.xml:166
3982
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
3983
#: sssd-krb5.5.xml:167
3987
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
3988
#: sssd-krb5.5.xml:170
3992
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
3993
#: sssd-krb5.5.xml:171
3997
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
3998
#: sssd-krb5.5.xml:174
4002
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
4003
#: sssd-krb5.5.xml:175
4004
msgid "principal name"
4007
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
4008
#: sssd-krb5.5.xml:179
4012
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
4013
#: sssd-krb5.5.xml:180
4017
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
4018
#: sssd-krb5.5.xml:183
4022
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
4023
#: sssd-krb5.5.xml:184
4024
msgid "home directory"
4027
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
4028
#: sssd-krb5.5.xml:188
4032
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
4033
#: sssd-krb5.5.xml:189
4034
msgid "value of krb5ccache_dir"
4037
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
4038
#: sssd-krb5.5.xml:194
4042
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
4043
#: sssd-krb5.5.xml:195
4044
msgid "the process ID of the sssd client"
4047
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
4048
#: sssd-krb5.5.xml:200
4052
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
4053
#: sssd-krb5.5.xml:201
4054
msgid "a literal '%'"
4057
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4058
#: sssd-krb5.5.xml:160
4060
"Location of the user's credential cache. Currently only file based "
4061
"credential caches are supported. In the template the following sequences are "
4062
"substituted: <placeholder type=\"variablelist\" id=\"0\"/> If the template "
4063
"ends with 'XXXXXX' mkstemp(3) is used to create a unique filename in a safe "
4067
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4068
#: sssd-krb5.5.xml:209
4069
msgid "Default: FILE:%d/krb5cc_%U_XXXXXX"
4072
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
4073
#: sssd-krb5.5.xml:215
4074
msgid "krb5_auth_timeout (integer)"
4077
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4078
#: sssd-krb5.5.xml:218
4080
"Timeout in seconds after an online authentication or change password request "
4081
"is aborted. If possible the authentication request is continued offline."
4084
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
4085
#: sssd-krb5.5.xml:241
4086
msgid "krb5_keytab (string)"
4089
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4090
#: sssd-krb5.5.xml:244
4092
"The location of the keytab to use when validating credentials obtained from "
4096
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4097
#: sssd-krb5.5.xml:248
4098
msgid "Default: /etc/krb5.keytab"
4101
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
4102
#: sssd-krb5.5.xml:254
4103
msgid "krb5_store_password_if_offline (boolean)"
4106
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4107
#: sssd-krb5.5.xml:257
4109
"Store the password of the user if the provider is offline and use it to "
4110
"request a TGT when the provider gets online again."
4113
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4114
#: sssd-krb5.5.xml:262
4116
"Please note that this feature currently only available on a Linux platform."
4119
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
4120
#: sssd-krb5.5.xml:272
4121
msgid "krb5_renewable_lifetime (string)"
4124
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4125
#: sssd-krb5.5.xml:275
4127
"Request a renewable ticket with a total lifetime given by an integer "
4128
"immediately followed by one of the following delimiters:"
4131
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4132
#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
4133
msgid "<emphasis>s</emphasis> seconds"
4136
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4137
#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
4138
msgid "<emphasis>m</emphasis> minutes"
4141
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4142
#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
4143
msgid "<emphasis>h</emphasis> hours"
4146
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4147
#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
4148
msgid "<emphasis>d</emphasis> days."
4151
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4152
#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
4153
msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
4156
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4157
#: sssd-krb5.5.xml:296
4159
"Please note that it is not possible to mix units. If you want to set the "
4160
"renewable lifetime to one and a half hours please use '90m' instead of "
4164
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4165
#: sssd-krb5.5.xml:302
4166
msgid "Default: not set, i.e. the TGT is not renewable"
4169
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
4170
#: sssd-krb5.5.xml:308
4171
msgid "krb5_lifetime (string)"
4174
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4175
#: sssd-krb5.5.xml:311
4177
"Request ticket with a with a lifetime given by an integer immediately "
4178
"followed by one of the following delimiters:"
4181
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4182
#: sssd-krb5.5.xml:332
4184
"Please note that it is not possible to mix units. If you want to set the "
4185
"lifetime to one and a half hours please use '90m' instead of '1h30m'."
4188
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4189
#: sssd-krb5.5.xml:337
4191
"Default: not set, i.e. the default ticket lifetime configured on the KDC."
4194
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
4195
#: sssd-krb5.5.xml:344
4196
msgid "krb5_renew_interval (integer)"
4199
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4200
#: sssd-krb5.5.xml:347
4202
"The time in seconds between two checks if the TGT should be renewed. TGTs "
4203
"are renewed if about half of their lifetime is exceeded."
4206
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4207
#: sssd-krb5.5.xml:352
4208
msgid "If this option is not set or 0 the automatic renewal is disabled."
4211
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
4212
#: sssd-krb5.5.xml:362
4213
msgid "krb5_use_fast (string)"
4216
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4217
#: sssd-krb5.5.xml:365
4219
"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
4220
"authentication. The following options are supported:"
4223
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4224
#: sssd-krb5.5.xml:370
4226
"<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
4230
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4231
#: sssd-krb5.5.xml:374
4233
"<emphasis>try</emphasis> to use FAST, if the server does not support fast "
4237
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4238
#: sssd-krb5.5.xml:378
4240
"<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
4244
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4245
#: sssd-krb5.5.xml:382
4246
msgid "Default: not set, i.e. FAST is not used."
4249
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4250
#: sssd-krb5.5.xml:385
4251
msgid "Please note that a keytab is required to use fast."
4254
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4255
#: sssd-krb5.5.xml:388
4257
"Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
4258
"and above. If sssd used used with an older version using this option is a "
4259
"configuration error."
4262
#. type: Content of: <reference><refentry><refsect1><para>
4263
#: sssd-krb5.5.xml:65
4265
"If the auth-module krb5 is used in a SSSD domain, the following options must "
4266
"be used. See the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> "
4267
"<manvolnum>5</manvolnum> </citerefentry> manual page, section <quote>DOMAIN "
4268
"SECTIONS</quote> for details on the configuration of a SSSD domain. "
4269
"<placeholder type=\"variablelist\" id=\"0\"/>"
4272
#. type: Content of: <reference><refentry><refsect1><para>
4273
#: sssd-krb5.5.xml:407
4275
"The following example assumes that SSSD is correctly configured and FOO is "
4276
"one of the domains in the <replaceable>[sssd]</replaceable> section. This "
4277
"example shows only configuration of Kerberos authentication, it does not "
4278
"include any identity provider."
4281
#. type: Content of: <reference><refentry><refsect1><para><programlisting>
4282
#: sssd-krb5.5.xml:415
4286
" auth_provider = krb5\n"
4287
" krb5_server = 192.168.1.1\n"
4288
" krb5_realm = EXAMPLE.COM\n"
4291
#. type: Content of: <reference><refentry><refsect1><para>
4292
#: sssd-krb5.5.xml:426
4294
"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
4295
"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
4296
"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
4297
"<refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </citerefentry>"
4300
#. type: Content of: <reference><refentry><refnamediv><refname>
4301
#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15
4302
msgid "sss_groupadd"
4305
#. type: Content of: <reference><refentry><refnamediv><refpurpose>
4306
#: sss_groupadd.8.xml:16
4307
msgid "create a new group"
4310
#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
4311
#: sss_groupadd.8.xml:21
4313
"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</"
4314
"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></"
4318
#. type: Content of: <reference><refentry><refsect1><para>
4319
#: sss_groupadd.8.xml:32
4321
"<command>sss_groupadd</command> creates a new group. These groups are "
4322
"compatible with POSIX groups, with the additional feature that they can "
4323
"contain other groups as members."
4326
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
4327
#: sss_groupadd.8.xml:43
4329
"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>"
4332
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
4333
#: sss_groupadd.8.xml:48
4335
"Set the GID of the group to the value of <replaceable>GID</replaceable>. If "
4336
"not given, it is chosen automatically."
4339
#. type: Content of: <reference><refentry><refsect1><para>
4340
#: sss_groupadd.8.xml:60
4342
"<citerefentry> <refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</"
4343
"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</"
4344
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
4345
"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </"
4346
"citerefentry>, <citerefentry> <refentrytitle>sss_useradd</"
4347
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
4348
"<refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> </"
4349
"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
4350
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
4353
#. type: Content of: <reference><refentry><refnamediv><refname>
4354
#: sss_userdel.8.xml:10 sss_userdel.8.xml:15
4358
#. type: Content of: <reference><refentry><refnamediv><refpurpose>
4359
#: sss_userdel.8.xml:16
4360
msgid "delete a user account"
4363
#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
4364
#: sss_userdel.8.xml:21
4366
"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</"
4367
"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></"
4371
#. type: Content of: <reference><refentry><refsect1><para>
4372
#: sss_userdel.8.xml:32
4374
"<command>sss_userdel</command> deletes a user identified by login name "
4375
"<replaceable>LOGIN</replaceable> from the system."
4378
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
4379
#: sss_userdel.8.xml:44
4380
msgid "<option>-r</option>,<option>--remove</option>"
4383
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
4384
#: sss_userdel.8.xml:48
4386
"Files in the user's home directory will be removed along with the home "
4387
"directory itself and the user's mail spool. Overrides the configuration."
4390
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
4391
#: sss_userdel.8.xml:56
4392
msgid "<option>-R</option>,<option>--no-remove</option>"
4395
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
4396
#: sss_userdel.8.xml:60
4398
"Files in the user's home directory will NOT be removed along with the home "
4399
"directory itself and the user's mail spool. Overrides the configuration."
4402
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
4403
#: sss_userdel.8.xml:68
4404
msgid "<option>-f</option>,<option>--force</option>"
4407
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
4408
#: sss_userdel.8.xml:72
4410
"This option forces <command>sss_userdel</command> to remove the user's home "
4411
"directory and mail spool, even if they are not owned by the specified user."
4414
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
4415
#: sss_userdel.8.xml:80
4416
msgid "<option>-k</option>,<option>--kick</option>"
4419
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
4420
#: sss_userdel.8.xml:84
4421
msgid "Before actually deleting the user, terminate all his processes."
4424
#. type: Content of: <reference><refentry><refsect1><para>
4425
#: sss_userdel.8.xml:95
4427
"<citerefentry> <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</"
4428
"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</"
4429
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
4430
"<refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum> </"
4431
"citerefentry>, <citerefentry> <refentrytitle>sss_groupshow</"
4432
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
4433
"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </"
4434
"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
4435
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
4438
#. type: Content of: <reference><refentry><refnamediv><refname>
4439
#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15
4440
msgid "sss_groupdel"
4443
#. type: Content of: <reference><refentry><refnamediv><refpurpose>
4444
#: sss_groupdel.8.xml:16
4445
msgid "delete a group"
4448
#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
4449
#: sss_groupdel.8.xml:21
4451
"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</"
4452
"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></"
4456
#. type: Content of: <reference><refentry><refsect1><para>
4457
#: sss_groupdel.8.xml:32
4459
"<command>sss_groupdel</command> deletes a group identified by its name "
4460
"<replaceable>GROUP</replaceable> from the system."
4463
#. type: Content of: <reference><refentry><refsect1><para>
4464
#: sss_groupdel.8.xml:48
4466
"<citerefentry> <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</"
4467
"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</"
4468
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
4469
"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </"
4470
"citerefentry>, <citerefentry> <refentrytitle>sss_useradd</"
4471
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
4472
"<refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> </"
4473
"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
4474
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
4477
#. type: Content of: <reference><refentry><refnamediv><refname>
4478
#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15
4479
msgid "sss_groupshow"
4482
#. type: Content of: <reference><refentry><refnamediv><refpurpose>
4483
#: sss_groupshow.8.xml:16
4484
msgid "print properties of a group"
4487
#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
4488
#: sss_groupshow.8.xml:21
4490
"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</"
4491
"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></"
4495
#. type: Content of: <reference><refentry><refsect1><para>
4496
#: sss_groupshow.8.xml:32
4498
"<command>sss_groupshow</command> displays information about a group "
4499
"identified by its name <replaceable>GROUP</replaceable>. The information "
4500
"includes the group ID number, members of the group and the parent group."
4503
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
4504
#: sss_groupshow.8.xml:43
4505
msgid "<option>-R</option>,<option>--recursive</option>"
4508
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
4509
#: sss_groupshow.8.xml:47
4511
"Also print indirect group members in a tree-like hierarchy. Note that this "
4512
"also affects printing parent groups - without <option>R</option>, only the "
4513
"direct parent will be printed."
4516
#. type: Content of: <reference><refentry><refsect1><para>
4517
#: sss_groupshow.8.xml:60
4519
"<citerefentry> <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</"
4520
"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</"
4521
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
4522
"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </"
4523
"citerefentry>, <citerefentry> <refentrytitle>sss_userdel</"
4524
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
4525
"<refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum> </"
4529
#. type: Content of: <reference><refentry><refnamediv><refname>
4530
#: sss_usermod.8.xml:10 sss_usermod.8.xml:15
4534
#. type: Content of: <reference><refentry><refnamediv><refpurpose>
4535
#: sss_usermod.8.xml:16
4536
msgid "modify a user account"
4539
#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
4540
#: sss_usermod.8.xml:21
4542
"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</"
4543
"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></"
4547
#. type: Content of: <reference><refentry><refsect1><para>
4548
#: sss_usermod.8.xml:32
4550
"<command>sss_usermod</command> modifies the account specified by "
4551
"<replaceable>LOGIN</replaceable> to reflect the changes that are specified "
4552
"on the command line."
4555
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
4556
#: sss_usermod.8.xml:60
4557
msgid "The home directory of the user account."
4560
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
4561
#: sss_usermod.8.xml:71
4562
msgid "The user's login shell."
4565
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
4566
#: sss_usermod.8.xml:82
4568
"Append this user to groups specified by the <replaceable>GROUPS</"
4569
"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is "
4570
"a comma separated list of group names."
4573
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
4574
#: sss_usermod.8.xml:96
4576
"Remove this user from groups specified by the <replaceable>GROUPS</"
4577
"replaceable> parameter."
4580
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
4581
#: sss_usermod.8.xml:103
4582
msgid "<option>-l</option>,<option>--lock</option>"
4585
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
4586
#: sss_usermod.8.xml:107
4587
msgid "Lock the user account. The user won't be able to log in."
4590
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
4591
#: sss_usermod.8.xml:114
4592
msgid "<option>-u</option>,<option>--unlock</option>"
4595
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
4596
#: sss_usermod.8.xml:118
4597
msgid "Unlock the user account."
4600
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
4601
#: sss_usermod.8.xml:129
4602
msgid "The SELinux user for the user's login."
4605
#. type: Content of: <reference><refentry><refsect1><para>
4606
#: sss_usermod.8.xml:140
4608
"<citerefentry> <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</"
4609
"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</"
4610
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
4611
"<refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum> </"
4612
"citerefentry>, <citerefentry> <refentrytitle>sss_groupshow</"
4613
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
4614
"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </"
4615
"citerefentry>, <citerefentry> <refentrytitle>sss_userdel</"
4616
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
4619
#. type: Content of: <refsect1><title>
4620
#: include/service_discovery.xml:2
4621
msgid "SERVICE DISCOVERY"
4624
#. type: Content of: <refsect1><para>
4625
#: include/service_discovery.xml:4
4627
"The service discovery feature allows back ends to automatically find the "
4628
"appropriate servers to connect to using a special DNS query."
4631
#. type: Content of: <refsect1><refsect2><title>
4632
#: include/service_discovery.xml:9
4633
msgid "Configuration"
4636
#. type: Content of: <refsect1><refsect2><para>
4637
#: include/service_discovery.xml:11
4639
"If no servers are specified, the back end automatically uses service "
4640
"discovery to try to find a server. Optionally, the user may choose to use "
4641
"both fixed server addresses and service discovery by inserting a special "
4642
"keyword, <quote>_srv_</quote>, in the list of servers. The order of "
4643
"preference is maintained. This feature is useful if, for example, the user "
4644
"prefers to use service discovery whenever possible, and fall back to a "
4645
"specific server when no servers can be discovered using DNS."
4648
#. type: Content of: <refsect1><refsect2><title>
4649
#: include/service_discovery.xml:23
4650
msgid "The domain name"
4653
#. type: Content of: <refsect1><refsect2><para>
4654
#: include/service_discovery.xml:25
4656
"Please refer to the <quote>dns_discovery_domain</quote> parameter in the "
4657
"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
4658
"manvolnum> </citerefentry> manual page for more details."
4661
#. type: Content of: <refsect1><refsect2><title>
4662
#: include/service_discovery.xml:35
4663
msgid "The protocol"
4666
#. type: Content of: <refsect1><refsect2><para>
4667
#: include/service_discovery.xml:37
4669
"The queries usually specify _tcp as the protocol. Exceptions are documented "
4670
"in respective option description."
4673
#. type: Content of: <refsect1><refsect2><title>
4674
#: include/service_discovery.xml:42
4678
#. type: Content of: <refsect1><refsect2><para>
4679
#: include/service_discovery.xml:44
4681
"For more information on the service discovery mechanism, refer to RFC 2782."
4684
#. type: Content of: outside any tag (error?)
4685
#: include/upstream.xml:1
4686
msgid "<placeholder type=\"refentryinfo\" id=\"0\"/>"
4689
#. type: Content of: <refsect1><title>
4690
#: include/failover.xml:2
4694
#. type: Content of: <refsect1><para>
4695
#: include/failover.xml:4
4697
"The failover feature allows back ends to automatically switch to a different "
4698
"server if the primary server fails."
4701
#. type: Content of: <refsect1><refsect2><title>
4702
#: include/failover.xml:8
4703
msgid "Failover Syntax"
4706
#. type: Content of: <refsect1><refsect2><para>
4707
#: include/failover.xml:10
4709
"The list of servers is given as a comma-separated list; any number of spaces "
4710
"is allowed around the comma. The servers are listed in order of preference. "
4711
"The list can contain any number of servers."
4714
#. type: Content of: <refsect1><refsect2><title>
4715
#: include/failover.xml:17
4716
msgid "The Failover Mechanism"
4719
#. type: Content of: <refsect1><refsect2><para>
4720
#: include/failover.xml:19
4722
"The failover mechanism distinguishes between a machine and a service. The "
4723
"back end first tries to resolve the hostname of a given machine; if this "
4724
"resolution attempt fails, the machine is considered offline. No further "
4725
"attempts are made to connect to this machine for any other service. If the "
4726
"resolution attempt succeeds, the back end tries to connect to a service on "
4727
"this machine. If the service connection attempt fails, then only this "
4728
"particular service is considered offline and the back end automatically "
4729
"switches over to the next service. The machine is still considered online "
4730
"and might still be tried for another service."
4733
#. type: Content of: <refsect1><refsect2><para>
4734
#: include/failover.xml:32
4736
"Further connection attempts are made to machines or services marked as "
4737
"offline after a specified period of time; this is currently hard coded to 30 "
4741
#. type: Content of: <refsect1><refsect2><para>
4742
#: include/failover.xml:37
4744
"If there are no more machines to try, the back end as a whole switches to "
4745
"offline mode, and then attempts to reconnect every 30 seconds."
4748
#. type: Content of: <varlistentry><term>
4749
#: include/param_help.xml:3
4750
msgid "<option>-h</option>,<option>--help</option>"
4753
#. type: Content of: <varlistentry><listitem><para>
4754
#: include/param_help.xml:7
4755
msgid "Display help message and exit."