1
# SOME DESCRIPTIVE TITLE
2
# Copyright (C) YEAR Red Hat
3
# This file is distributed under the same license as the sssd-docs package.
7
"Project-Id-Version: SSSD\n"
8
"Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
9
"POT-Creation-Date: 2011-05-27 16:03-0300\n"
10
"PO-Revision-Date: 2011-05-27 20:01+0000\n"
11
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
12
"Language-Team: Norwegian Nynorsk (http://www.transifex.net/projects/p/fedora/"
16
"Content-Type: text/plain; charset=UTF-8\n"
17
"Content-Transfer-Encoding: 8bit\n"
18
"Plural-Forms: nplurals=2; plural=(n != 1)\n"
20
#. type: Content of: <reference><title>
21
#: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5
22
#: sssd_krb5_locator_plugin.8.xml:5 sssd-simple.5.xml:5 sssd-ipa.5.xml:5
23
#: sssd.8.xml:5 sss_obfuscate.8.xml:5 sss_useradd.8.xml:5 sssd-krb5.5.xml:5
24
#: sss_groupadd.8.xml:5 sss_userdel.8.xml:5 sss_groupdel.8.xml:5
25
#: sss_groupshow.8.xml:5 sss_usermod.8.xml:5
26
msgid "SSSD Manual pages"
29
#. type: Content of: <reference><refentry><refnamediv><refname>
30
#: sss_groupmod.8.xml:10 sss_groupmod.8.xml:15
34
#. type: Content of: <reference><refentry><refmeta><manvolnum>
35
#: sss_groupmod.8.xml:11 pam_sss.8.xml:14 sssd_krb5_locator_plugin.8.xml:11
36
#: sssd.8.xml:11 sss_obfuscate.8.xml:11 sss_useradd.8.xml:11
37
#: sss_groupadd.8.xml:11 sss_userdel.8.xml:11 sss_groupdel.8.xml:11
38
#: sss_groupshow.8.xml:11 sss_usermod.8.xml:11
42
#. type: Content of: <reference><refentry><refnamediv><refpurpose>
43
#: sss_groupmod.8.xml:16
44
msgid "modify a group"
47
#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
48
#: sss_groupmod.8.xml:21
50
"<command>sss_groupmod</command> <arg choice='opt'> <replaceable>options</"
51
"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></"
55
#. type: Content of: <reference><refentry><refsect1><title>
56
#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
57
#: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
58
#: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
59
#: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
60
#: sss_groupdel.8.xml:30 sss_groupshow.8.xml:30 sss_usermod.8.xml:30
64
#. type: Content of: <reference><refentry><refsect1><para>
65
#: sss_groupmod.8.xml:32
67
"<command>sss_groupmod</command> modifies the group to reflect the changes "
68
"that are specified on the command line."
71
#. type: Content of: <reference><refentry><refsect1><title>
72
#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
73
#: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
74
#: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
78
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
79
#: sss_groupmod.8.xml:43 sss_usermod.8.xml:77
81
"<option>-a</option>,<option>--append-group</option> <replaceable>GROUPS</"
85
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
86
#: sss_groupmod.8.xml:48
88
"Append this group to groups specified by the <replaceable>GROUPS</"
89
"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is "
90
"a comma separated list of group names."
93
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
94
#: sss_groupmod.8.xml:57 sss_usermod.8.xml:91
96
"<option>-r</option>,<option>--remove-group</option> <replaceable>GROUPS</"
100
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
101
#: sss_groupmod.8.xml:62
103
"Remove this group from groups specified by the <replaceable>GROUPS</"
104
"replaceable> parameter."
107
#. type: Content of: <reference><refentry><refsect1><title>
108
#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1008 sssd-ldap.5.xml:1418
109
#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
110
#: sssd-ipa.5.xml:206 sssd.8.xml:166 sss_obfuscate.8.xml:103
111
#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
112
#: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
113
#: sss_usermod.8.xml:138
117
#. type: Content of: <reference><refentry><refsect1><para>
118
#: sss_groupmod.8.xml:74
120
"<citerefentry> <refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</"
121
"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupadd</"
122
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
123
"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </"
124
"citerefentry>, <citerefentry> <refentrytitle>sss_useradd</"
125
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
126
"<refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> </"
127
"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
128
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
131
#. type: Content of: <reference><refentry><refnamediv><refname>
132
#: sssd.conf.5.xml:10 sssd.conf.5.xml:16
136
#. type: Content of: <reference><refentry><refmeta><manvolnum>
137
#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11
138
#: sssd-ipa.5.xml:11 sssd-krb5.5.xml:11
142
#. type: Content of: <reference><refentry><refmeta><refmiscinfo>
143
#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12
144
#: sssd-ipa.5.xml:12 sssd-krb5.5.xml:12
145
msgid "File Formats and Conventions"
148
#. type: Content of: <reference><refentry><refnamediv><refpurpose>
149
#: sssd.conf.5.xml:17 sssd-ldap.5.xml:17 sssd_krb5_locator_plugin.8.xml:16
150
#: sssd-ipa.5.xml:17 sssd-krb5.5.xml:17
151
msgid "the configuration file for SSSD"
154
#. type: Content of: <reference><refentry><refsect1><title>
155
#: sssd.conf.5.xml:21
159
#. type: Content of: <reference><refentry><refsect1><para><programlisting>
160
#: sssd.conf.5.xml:29
163
" <replaceable>[section]</replaceable>\n"
164
" <replaceable>key</replaceable> = <replaceable>value</replaceable>\n"
165
" <replaceable>key2</replaceable> = <replaceable>value2,value3</replaceable>\n"
169
#. type: Content of: <reference><refentry><refsect1><para>
170
#: sssd.conf.5.xml:24
172
"The file has an ini-style syntax and consists of sections and parameters. A "
173
"section begins with the name of the section in square brackets and continues "
174
"until the next section begins. An example of section with single and multi-"
175
"valued parameters: <placeholder type=\"programlisting\" id=\"0\"/>"
178
#. type: Content of: <reference><refentry><refsect1><para>
179
#: sssd.conf.5.xml:36
181
"The data types used are string (no quotes needed), integer and bool (with "
182
"values of <quote>TRUE/FALSE</quote>)."
185
#. type: Content of: <reference><refentry><refsect1><para>
186
#: sssd.conf.5.xml:41
188
"A line comment starts with a hash sign (<quote>#</quote>) or a semicolon "
192
#. type: Content of: <reference><refentry><refsect1><para>
193
#: sssd.conf.5.xml:46
195
"All sections can have an optional <replaceable>description</replaceable> "
196
"parameter. Its function is only as a label for the section."
199
#. type: Content of: <reference><refentry><refsect1><para>
200
#: sssd.conf.5.xml:52
202
"<filename>sssd.conf</filename> must be a regular file, owned by root and "
203
"only root may read from or write to the file."
206
#. type: Content of: <reference><refentry><refsect1><title>
207
#: sssd.conf.5.xml:58
208
msgid "SPECIAL SECTIONS"
211
#. type: Content of: <reference><refentry><refsect1><refsect2><title>
212
#: sssd.conf.5.xml:61
213
msgid "The [sssd] section"
216
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
217
#: sssd.conf.5.xml:70 sssd.conf.5.xml:854
218
msgid "Section parameters"
221
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
222
#: sssd.conf.5.xml:72
223
msgid "config_file_version (integer)"
226
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
227
#: sssd.conf.5.xml:75
229
"Indicates what is the syntax of the config file. SSSD 0.6.0 and later use "
233
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
234
#: sssd.conf.5.xml:81
238
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
239
#: sssd.conf.5.xml:84
241
"Comma separated list of services that are started when sssd itself starts."
244
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
245
#: sssd.conf.5.xml:88
246
msgid "Supported services: nss, pam"
249
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
250
#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
251
msgid "reconnection_retries (integer)"
254
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
255
#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
257
"Number of times services should attempt to reconnect in the event of a Data "
258
"Provider crash or restart before they give up"
261
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
262
#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
266
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
267
#: sssd.conf.5.xml:106
271
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
272
#: sssd.conf.5.xml:109
274
"A domain is a database containing user information. SSSD can use more "
275
"domains at the same time, but at least one must be configured or SSSD won't "
276
"start. This parameter described the list of domains in the order you want "
277
"them to be queried."
280
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
281
#: sssd.conf.5.xml:119
282
msgid "re_expression (string)"
285
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
286
#: sssd.conf.5.xml:122
288
"Regular expression that describes how to parse the string containing user "
289
"name and domain into these components."
292
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
293
#: sssd.conf.5.xml:126
295
"Default: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> "
296
"which translates to \"the name is everything up to the <quote>@</quote> "
297
"sign, the domain everything after that\""
300
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
301
#: sssd.conf.5.xml:131
303
"PLEASE NOTE: the support for non-unique named subpatterns is not available "
304
"on all platforms (e.g. RHEL5 and SLES10). Only platforms with libpcre "
305
"version 7 or higher can support non-unique named subpatterns."
308
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
309
#: sssd.conf.5.xml:138
311
"PLEASE NOTE ALSO: older version of libpcre only support the Python syntax (?"
312
"P<name>) to label subpatterns."
315
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
316
#: sssd.conf.5.xml:145
317
msgid "full_name_format (string)"
320
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
321
#: sssd.conf.5.xml:148
323
"A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
324
"manvolnum> </citerefentry>-compatible format that describes how to translate "
325
"a (name, domain) tuple into a fully qualified name."
328
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
329
#: sssd.conf.5.xml:156
330
msgid "Default: <quote>%1$s@%2$s</quote>."
333
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
334
#: sssd.conf.5.xml:161
335
msgid "try_inotify (boolean)"
338
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
339
#: sssd.conf.5.xml:164
341
"SSSD monitors the state of resolv.conf to identify when it needs to update "
342
"its internal DNS resolver. By default, we will attempt to use inotify for "
343
"this, and will fall back to polling resolv.conf every five seconds if "
344
"inotify cannot be used."
347
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
348
#: sssd.conf.5.xml:172
350
"There are some limited situations where it is preferred that we should skip "
351
"even trying to use inotify. In these rare cases, this option should be set "
355
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
356
#: sssd.conf.5.xml:178
358
"Default: true on platforms where inotify is supported. False on other "
362
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
363
#: sssd.conf.5.xml:182
365
"Note: this option will have no effect on platforms where inotify is "
366
"unavailable. On these platforms, polling will always be used."
369
#. type: Content of: <reference><refentry><refsect1><refsect2><para>
370
#: sssd.conf.5.xml:63
372
"Individual pieces of SSSD functionality are provided by special SSSD "
373
"services that are started and stopped together with SSSD. The services are "
374
"managed by a special service frequently called <quote>monitor</quote>. The "
375
"<quote>[sssd]</quote> section is used to configure the monitor as well as "
376
"some other important options like the identity domains. <placeholder type="
377
"\"variablelist\" id=\"0\"/>"
380
#. type: Content of: <reference><refentry><refsect1><title>
381
#: sssd.conf.5.xml:195
382
msgid "SERVICES SECTIONS"
385
#. type: Content of: <reference><refentry><refsect1><para>
386
#: sssd.conf.5.xml:197
388
"Settings that can be used to configure different services are described in "
389
"this section. They should reside in the [<replaceable>$NAME</replaceable>] "
390
"section, for example, for NSS service, the section would be <quote>[nss]</"
394
#. type: Content of: <reference><refentry><refsect1><refsect2><title>
395
#: sssd.conf.5.xml:204
396
msgid "General service configuration options"
399
#. type: Content of: <reference><refentry><refsect1><refsect2><para>
400
#: sssd.conf.5.xml:206
401
msgid "These options can be used to configure any service."
404
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
405
#: sssd.conf.5.xml:210
406
msgid "debug_level (integer)"
409
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
410
#: sssd.conf.5.xml:213
412
"Sets the debug level for the service. The value can be in range from 0 (only "
413
"critical messages) to 10 (very verbose)."
416
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
417
#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
421
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
422
#: sssd.conf.5.xml:223 sssd.8.xml:58
423
msgid "debug_timestamps (bool)"
426
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
427
#: sssd.conf.5.xml:226 sssd.8.xml:61
428
msgid "Add a timestamp to the debug messages"
431
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
432
#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1044
433
#: sssd-ldap.5.xml:1149 sssd-ipa.5.xml:155
434
msgid "Default: true"
437
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
438
#: sssd.conf.5.xml:247
439
msgid "command (string)"
442
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
443
#: sssd.conf.5.xml:250
445
"By default, the executable representing this service is called <command>sssd_"
446
"${service_name}</command>. This directive allows to change the executable "
447
"name for the service. In the vast majority of configurations, the default "
448
"values should suffice."
451
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
452
#: sssd.conf.5.xml:258
453
msgid "Default: <command>sssd_${service_name}</command>"
456
#. type: Content of: <reference><refentry><refsect1><refsect2><title>
457
#: sssd.conf.5.xml:266
458
msgid "NSS configuration options"
461
#. type: Content of: <reference><refentry><refsect1><refsect2><para>
462
#: sssd.conf.5.xml:268
464
"These options can be used to configure the Name Service Switch (NSS) service."
467
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
468
#: sssd.conf.5.xml:273
469
msgid "enum_cache_timeout (integer)"
472
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
473
#: sssd.conf.5.xml:276
475
"How many seconds should nss_sss cache enumerations (requests for info about "
479
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
480
#: sssd.conf.5.xml:280
484
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
485
#: sssd.conf.5.xml:285
486
msgid "entry_cache_nowait_percentage (integer)"
489
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
490
#: sssd.conf.5.xml:288
492
"The entry cache can be set to automatically update entries in the background "
493
"if they are requested beyond a percentage of the entry_cache_timeout value "
497
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
498
#: sssd.conf.5.xml:294
500
"For example, if the domain's entry_cache_timeout is set to 30s and "
501
"entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
502
"after 15 seconds past the last cache update will be returned immediately, "
503
"but the SSSD will go and update the cache on its own, so that future "
504
"requests will not need to block waiting for a cache update."
507
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
508
#: sssd.conf.5.xml:304
510
"Valid values for this option are 0-99 and represent a percentage of the "
511
"entry_cache_timeout for each domain. For performance reasons, this "
512
"percentage will never reduce the nowait timeout to less than 10 seconds. (0 "
513
"disables this feature)"
516
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
517
#: sssd.conf.5.xml:317
518
msgid "entry_negative_timeout (integer)"
521
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
522
#: sssd.conf.5.xml:320
524
"Specifies for how many seconds nss_sss should cache negative cache hits "
525
"(that is, queries for invalid database entries, like nonexistent ones) "
526
"before asking the back end again."
529
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
530
#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
534
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
535
#: sssd.conf.5.xml:331
536
msgid "filter_users, filter_groups (string)"
539
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
540
#: sssd.conf.5.xml:334
542
"Exclude certain users from being fetched from the sss NSS database. This is "
543
"particularly useful for system accounts. This option can also be set per-"
544
"domain or include fully-qualified names to filter only users from the "
548
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
549
#: sssd.conf.5.xml:341
550
msgid "Default: root"
553
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
554
#: sssd.conf.5.xml:346
555
msgid "filter_users_in_groups (bool)"
558
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
559
#: sssd.conf.5.xml:349
561
"If you want filtered user still be group members set this option to false."
564
#. type: Content of: <reference><refentry><refsect1><refsect2><title>
565
#: sssd.conf.5.xml:360
566
msgid "PAM configuration options"
569
#. type: Content of: <reference><refentry><refsect1><refsect2><para>
570
#: sssd.conf.5.xml:362
572
"These options can be used to configure the Pluggable Authentication Module "
576
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
577
#: sssd.conf.5.xml:367
578
msgid "offline_credentials_expiration (integer)"
581
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
582
#: sssd.conf.5.xml:370
584
"If the authentication provider is offline, how long should we allow cached "
585
"logins (in days since the last successful online login)."
588
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
589
#: sssd.conf.5.xml:375 sssd.conf.5.xml:388
590
msgid "Default: 0 (No limit)"
593
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
594
#: sssd.conf.5.xml:381
595
msgid "offline_failed_login_attempts (integer)"
598
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
599
#: sssd.conf.5.xml:384
601
"If the authentication provider is offline, how many failed login attempts "
605
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
606
#: sssd.conf.5.xml:394
607
msgid "offline_failed_login_delay (integer)"
610
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
611
#: sssd.conf.5.xml:397
613
"The time in minutes which has to pass after offline_failed_login_attempts "
614
"has been reached before a new login attempt is possible."
617
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
618
#: sssd.conf.5.xml:402
620
"If set to 0 the user cannot authenticate offline if "
621
"offline_failed_login_attempts has been reached. Only a successful online "
622
"authentication can enable enable offline authentication again."
625
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
626
#: sssd.conf.5.xml:408 sssd.conf.5.xml:461 sssd.conf.5.xml:793
630
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
631
#: sssd.conf.5.xml:414
632
msgid "pam_verbosity (integer)"
635
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
636
#: sssd.conf.5.xml:417
638
"Controls what kind of messages are shown to the user during authentication. "
639
"The higher the number to more messages are displayed."
642
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
643
#: sssd.conf.5.xml:422
644
msgid "Currently sssd supports the following values:"
647
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
648
#: sssd.conf.5.xml:425
649
msgid "<emphasis>0</emphasis>: do not show any message"
652
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
653
#: sssd.conf.5.xml:428
654
msgid "<emphasis>1</emphasis>: show only important messages"
657
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
658
#: sssd.conf.5.xml:432
659
msgid "<emphasis>2</emphasis>: show informational messages"
662
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
663
#: sssd.conf.5.xml:435
664
msgid "<emphasis>3</emphasis>: show all messages and debug information"
667
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
668
#: sssd.conf.5.xml:439
672
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
673
#: sssd.conf.5.xml:444
674
msgid "pam_id_timeout (integer)"
677
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
678
#: sssd.conf.5.xml:447
680
"For any PAM request while SSSD is online, the SSSD will attempt to "
681
"immediately update the cached identity information for the user in order to "
682
"ensure that authentication takes place with the latest information."
685
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
686
#: sssd.conf.5.xml:453
688
"A complete PAM conversation may perform multiple PAM requests, such as "
689
"account management and session opening. This option controls (on a per-"
690
"client-application basis) how long (in seconds) we can cache the identity "
691
"information to avoid excessive round-trips to the identity provider."
694
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
695
#: sssd.conf.5.xml:467
696
msgid "pam_pwd_expiration_warning (integer)"
699
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
700
#: sssd.conf.5.xml:470
701
msgid "Display a warning N days before the password expires."
704
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
705
#: sssd.conf.5.xml:473
707
"Please note that the backend server has to provide information about the "
708
"expiration time of the password. If this information is missing, sssd "
709
"cannot display a warning."
712
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
713
#: sssd.conf.5.xml:479
717
#. type: Content of: <reference><refentry><refsect1><title>
718
#: sssd.conf.5.xml:488
719
msgid "DOMAIN SECTIONS"
722
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
723
#: sssd.conf.5.xml:495
724
msgid "min_id,max_id (integer)"
727
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
728
#: sssd.conf.5.xml:498
730
"UID and GID limits for the domain. If a domain contains an entry that is "
731
"outside these limits, it is ignored."
734
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
735
#: sssd.conf.5.xml:503
737
"For users, this affects the primary GID limit. The user will not be returned "
738
"to NSS if either the UID or the primary GID is outside the range. For non-"
739
"primary group memberships, those that are in range will be reported as "
743
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
744
#: sssd.conf.5.xml:510
745
msgid "Default: 1 for min_id, 0 (no limit) for max_id"
748
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
749
#: sssd.conf.5.xml:516
750
msgid "timeout (integer)"
753
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
754
#: sssd.conf.5.xml:519
756
"Timeout in seconds between heartbeats for this domain. This is used to "
757
"ensure that the backend process is alive and capable of answering requests."
760
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
761
#: sssd.conf.5.xml:524
765
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
766
#: sssd.conf.5.xml:530
767
msgid "enumerate (bool)"
770
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
771
#: sssd.conf.5.xml:533
773
"Determines if a domain can be enumerated. This parameter can have one of the "
777
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
778
#: sssd.conf.5.xml:537
779
msgid "TRUE = Users and groups are enumerated"
782
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
783
#: sssd.conf.5.xml:540
784
msgid "FALSE = No enumerations for this domain"
787
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
788
#: sssd.conf.5.xml:543 sssd.conf.5.xml:591 sssd.conf.5.xml:645
789
msgid "Default: FALSE"
792
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
793
#: sssd.conf.5.xml:546
795
"Note: Enabling enumeration has a moderate performance impact on SSSD while "
796
"enumeration is running. It may take up to several minutes after SSSD startup "
797
"to fully complete enumerations. During this time, individual requests for "
798
"information will go directly to LDAP, though it may be slow, due to the "
799
"heavy enumeration processing."
802
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
803
#: sssd.conf.5.xml:556
805
"While the first enumeration is running, requests for the complete user or "
806
"group lists may return no results until it completes."
809
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
810
#: sssd.conf.5.xml:561
812
"Further, enabling enumeration may increase the time necessary to detect "
813
"network disconnection, as longer timeouts are required to ensure that "
814
"enumeration lookups are completed successfully. For more information, refer "
815
"to the man pages for the specific id_provider in use."
818
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
819
#: sssd.conf.5.xml:572
820
msgid "entry_cache_timeout (integer)"
823
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
824
#: sssd.conf.5.xml:575
826
"How many seconds should nss_sss consider entries valid before asking the "
830
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
831
#: sssd.conf.5.xml:579
832
msgid "Default: 5400"
835
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
836
#: sssd.conf.5.xml:584
837
msgid "cache_credentials (bool)"
840
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
841
#: sssd.conf.5.xml:587
842
msgid "Determines if user credentials are also cached in the local LDB cache"
845
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
846
#: sssd.conf.5.xml:596
847
msgid "account_cache_expiration (integer)"
850
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
851
#: sssd.conf.5.xml:599
853
"Number of days entries are left in cache after last successful login before "
854
"being removed during a cleanup of the cache. 0 means keep forever. The "
855
"value of this parameter must be greater than or equal to "
856
"offline_credentials_expiration."
859
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
860
#: sssd.conf.5.xml:606
861
msgid "Default: 0 (unlimited)"
864
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
865
#: sssd.conf.5.xml:612
866
msgid "id_provider (string)"
869
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
870
#: sssd.conf.5.xml:615
871
msgid "The Data Provider identity backend to use for this domain."
874
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
875
#: sssd.conf.5.xml:619
876
msgid "Supported backends:"
879
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
880
#: sssd.conf.5.xml:622
881
msgid "proxy: Support a legacy NSS provider"
884
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
885
#: sssd.conf.5.xml:625
886
msgid "local: SSSD internal local provider"
889
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
890
#: sssd.conf.5.xml:628
891
msgid "ldap: LDAP provider"
894
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
895
#: sssd.conf.5.xml:634
896
msgid "use_fully_qualified_names (bool)"
899
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
900
#: sssd.conf.5.xml:637
902
"If set to TRUE, all requests to this domain must use fully qualified names. "
903
"For example, if used in LOCAL domain that contains a \"test\" user, "
904
"<command>getent passwd test</command> wouldn't find the user while "
905
"<command>getent passwd test@LOCAL</command> would."
908
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
909
#: sssd.conf.5.xml:650
910
msgid "auth_provider (string)"
913
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
914
#: sssd.conf.5.xml:653
916
"The authentication provider used for the domain. Supported auth providers "
920
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
921
#: sssd.conf.5.xml:657
923
"<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
924
"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
925
"citerefentry> for more information on configuring LDAP."
928
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
929
#: sssd.conf.5.xml:664
931
"<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
932
"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
933
"citerefentry> for more information on configuring Kerberos."
936
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
937
#: sssd.conf.5.xml:671
939
"<quote>proxy</quote> for relaying authentication to some other PAM target."
942
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
943
#: sssd.conf.5.xml:674
944
msgid "<quote>none</quote> disables authentication explicitly."
947
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
948
#: sssd.conf.5.xml:677
950
"Default: <quote>id_provider</quote> is used if it is set and can handle "
951
"authentication requests."
954
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
955
#: sssd.conf.5.xml:683
956
msgid "access_provider (string)"
959
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
960
#: sssd.conf.5.xml:686
962
"The access control provider used for the domain. There are two built-in "
963
"access providers (in addition to any included in installed backends) "
964
"Internal special providers are:"
967
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
968
#: sssd.conf.5.xml:692
969
msgid "<quote>permit</quote> always allow access."
972
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
973
#: sssd.conf.5.xml:695
974
msgid "<quote>deny</quote> always deny access."
977
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
978
#: sssd.conf.5.xml:698
980
"<quote>simple</quote> access control based on access or deny lists. See "
981
"<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
982
"manvolnum></citerefentry> for more information on configuring the simple "
986
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
987
#: sssd.conf.5.xml:705
988
msgid "Default: <quote>permit</quote>"
991
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
992
#: sssd.conf.5.xml:710
993
msgid "chpass_provider (string)"
996
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
997
#: sssd.conf.5.xml:713
999
"The provider which should handle change password operations for the domain. "
1000
"Supported change password providers are:"
1003
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1004
#: sssd.conf.5.xml:718
1006
"<quote>ipa</quote> to change a password stored in an IPA server. See "
1007
"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
1008
"manvolnum> </citerefentry> for more information on configuring IPA."
1011
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1012
#: sssd.conf.5.xml:726
1014
"<quote>ldap</quote> to change a password stored in a LDAP server. See "
1015
"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
1016
"manvolnum> </citerefentry> for more information on configuring LDAP."
1019
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1020
#: sssd.conf.5.xml:734
1022
"<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
1023
"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
1024
"citerefentry> for more information on configuring Kerberos."
1027
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1028
#: sssd.conf.5.xml:742
1030
"<quote>proxy</quote> for relaying password changes to some other PAM target."
1033
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1034
#: sssd.conf.5.xml:746
1035
msgid "<quote>none</quote> disallows password changes explicitly."
1038
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1039
#: sssd.conf.5.xml:749
1041
"Default: <quote>auth_provider</quote> is used if it is set and can handle "
1042
"change password requests."
1045
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1046
#: sssd.conf.5.xml:756
1047
msgid "lookup_family_order (string)"
1050
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1051
#: sssd.conf.5.xml:759
1053
"Provides the ability to select preferred address family to use when "
1054
"performing DNS lookups."
1057
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1058
#: sssd.conf.5.xml:763
1059
msgid "Supported values:"
1062
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1063
#: sssd.conf.5.xml:766
1064
msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
1067
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1068
#: sssd.conf.5.xml:769
1069
msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
1072
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1073
#: sssd.conf.5.xml:772
1074
msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
1077
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1078
#: sssd.conf.5.xml:775
1079
msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
1082
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1083
#: sssd.conf.5.xml:778
1084
msgid "Default: ipv4_first"
1087
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1088
#: sssd.conf.5.xml:784
1089
msgid "dns_resolver_timeout (integer)"
1092
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1093
#: sssd.conf.5.xml:787
1095
"Defines the amount of time (in seconds) to wait for a reply from the DNS "
1096
"resolver before assuming that it is unreachable. If this timeout is reached, "
1097
"the domain will continue to operate in offline mode."
1100
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1101
#: sssd.conf.5.xml:799
1102
msgid "dns_discovery_domain (string)"
1105
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1106
#: sssd.conf.5.xml:802
1108
"If service discovery is used in the back end, specifies the domain part of "
1109
"the service discovery DNS query."
1112
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1113
#: sssd.conf.5.xml:806
1114
msgid "Default: Use the domain part of machine's hostname"
1117
#. type: Content of: <reference><refentry><refsect1><para>
1118
#: sssd.conf.5.xml:490
1120
"These configuration options can be present in a domain configuration "
1121
"section, that is, in a section called <quote>[domain/<replaceable>NAME</"
1122
"replaceable>]</quote> <placeholder type=\"variablelist\" id=\"0\"/>"
1125
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1126
#: sssd.conf.5.xml:818
1127
msgid "proxy_pam_target (string)"
1130
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1131
#: sssd.conf.5.xml:821
1132
msgid "The proxy target PAM proxies to."
1135
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1136
#: sssd.conf.5.xml:824
1138
"Default: not set by default, you have to take an existing pam configuration "
1139
"or create a new one and add the service name here."
1142
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1143
#: sssd.conf.5.xml:832
1144
msgid "proxy_lib_name (string)"
1147
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1148
#: sssd.conf.5.xml:835
1150
"The name of the NSS library to use in proxy domains. The NSS functions "
1151
"searched for in the library are in the form of _nss_$(libName)_$(function), "
1152
"for example _nss_files_getpwent."
1155
#. type: Content of: <reference><refentry><refsect1><para>
1156
#: sssd.conf.5.xml:814
1158
"Options valid for proxy domains. <placeholder type=\"variablelist\" id="
1162
#. type: Content of: <reference><refentry><refsect1><refsect2><title>
1163
#: sssd.conf.5.xml:847
1164
msgid "The local domain section"
1167
#. type: Content of: <reference><refentry><refsect1><refsect2><para>
1168
#: sssd.conf.5.xml:849
1170
"This section contains settings for domain that stores users and groups in "
1171
"SSSD native database, that is, a domain that uses "
1172
"<replaceable>id_provider=local</replaceable>."
1175
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
1176
#: sssd.conf.5.xml:856
1177
msgid "default_shell (string)"
1180
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
1181
#: sssd.conf.5.xml:859
1182
msgid "The default shell for users created with SSSD userspace tools."
1185
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
1186
#: sssd.conf.5.xml:863
1187
msgid "Default: <filename>/bin/bash</filename>"
1190
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
1191
#: sssd.conf.5.xml:868
1192
msgid "base_directory (string)"
1195
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
1196
#: sssd.conf.5.xml:871
1198
"The tools append the login name to <replaceable>base_directory</replaceable> "
1199
"and use that as the home directory."
1202
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
1203
#: sssd.conf.5.xml:876
1204
msgid "Default: <filename>/home</filename>"
1207
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
1208
#: sssd.conf.5.xml:881
1209
msgid "create_homedir (bool)"
1212
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
1213
#: sssd.conf.5.xml:884
1215
"Indicate if a home directory should be created by default for new users. "
1216
"Can be overridden on command line."
1219
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
1220
#: sssd.conf.5.xml:888 sssd.conf.5.xml:900
1221
msgid "Default: TRUE"
1224
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
1225
#: sssd.conf.5.xml:893
1226
msgid "remove_homedir (bool)"
1229
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
1230
#: sssd.conf.5.xml:896
1232
"Indicate if a home directory should be removed by default for deleted "
1233
"users. Can be overridden on command line."
1236
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
1237
#: sssd.conf.5.xml:905
1238
msgid "homedir_umask (integer)"
1241
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
1242
#: sssd.conf.5.xml:908
1244
"Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
1245
"<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
1246
"on a newly created home directory."
1249
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
1250
#: sssd.conf.5.xml:916
1251
msgid "Default: 077"
1254
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
1255
#: sssd.conf.5.xml:921
1256
msgid "skel_dir (string)"
1259
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
1260
#: sssd.conf.5.xml:924
1262
"The skeleton directory, which contains files and directories to be copied in "
1263
"the user's home directory, when the home directory is created by "
1264
"<citerefentry> <refentrytitle>sss_useradd</refentrytitle> <manvolnum>8</"
1265
"manvolnum> </citerefentry>"
1268
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
1269
#: sssd.conf.5.xml:934
1270
msgid "Default: <filename>/etc/skel</filename>"
1273
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
1274
#: sssd.conf.5.xml:939
1275
msgid "mail_dir (string)"
1278
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
1279
#: sssd.conf.5.xml:942
1281
"The mail spool directory. This is needed to manipulate the mailbox when its "
1282
"corresponding user account is modified or deleted. If not specified, a "
1283
"default value is used."
1286
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
1287
#: sssd.conf.5.xml:949
1288
msgid "Default: <filename>/var/mail</filename>"
1291
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
1292
#: sssd.conf.5.xml:954
1293
msgid "userdel_cmd (string)"
1296
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
1297
#: sssd.conf.5.xml:957
1299
"The command that is run after a user is removed. The command us passed the "
1300
"username of the user being removed as the first and only parameter. The "
1301
"return code of the command is not taken into account."
1304
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
1305
#: sssd.conf.5.xml:963
1306
msgid "Default: None, no command is run"
1309
#. type: Content of: <reference><refentry><refsect1><title>
1310
#: sssd.conf.5.xml:973 sssd-ldap.5.xml:1386 sssd-simple.5.xml:126
1311
#: sssd-ipa.5.xml:188 sssd-krb5.5.xml:405
1315
#. type: Content of: <reference><refentry><refsect1><para><programlisting>
1316
#: sssd.conf.5.xml:979
1321
"services = nss, pam\n"
1322
"config_file_version = 2\n"
1325
"filter_groups = root\n"
1326
"filter_users = root\n"
1331
"id_provider = ldap\n"
1332
"ldap_uri = ldap://ldap.example.com\n"
1333
"ldap_search_base = dc=example,dc=com\n"
1335
"auth_provider = krb5\n"
1336
"krb5_server = kerberos.example.com\n"
1337
"krb5_realm = EXAMPLE.COM\n"
1338
"cache_credentials = true\n"
1342
"enumerate = False\n"
1345
#. type: Content of: <reference><refentry><refsect1><para>
1346
#: sssd.conf.5.xml:975
1348
"The following example shows a typical SSSD config. It does not describe "
1349
"configuration of the domains themselves - refer to documentation on "
1350
"configuring domains for more details. <placeholder type=\"programlisting\" "
1354
#. type: Content of: <reference><refentry><refsect1><para>
1355
#: sssd.conf.5.xml:1010
1357
"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
1358
"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
1359
"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
1360
"<refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum> </"
1361
"citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</"
1362
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
1363
"<refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum> </"
1364
"citerefentry>, <citerefentry> <refentrytitle>sss_useradd</"
1365
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
1366
"<refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> </"
1367
"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
1368
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
1369
"<refentrytitle>pam_sss</refentrytitle><manvolnum>8</manvolnum> </"
1373
#. type: Content of: <reference><refentry><refnamediv><refname>
1374
#: sssd-ldap.5.xml:10 sssd-ldap.5.xml:16
1378
#. type: Content of: <reference><refentry><refsect1><para>
1379
#: sssd-ldap.5.xml:23
1381
"This manual page describes the configuration of LDAP domains for "
1382
"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
1383
"</citerefentry>. Refer to the <quote>FILE FORMAT</quote> section of the "
1384
"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
1385
"manvolnum> </citerefentry> manual page for detailed syntax information."
1388
#. type: Content of: <reference><refentry><refsect1><para>
1389
#: sssd-ldap.5.xml:35
1390
msgid "You can configure SSSD to use more than one LDAP domain."
1393
#. type: Content of: <reference><refentry><refsect1><para>
1394
#: sssd-ldap.5.xml:38
1396
"LDAP back end supports id, auth, access and chpass providers. If you want to "
1397
"authenticate against an LDAP server either TLS/SSL or LDAPS is required. "
1398
"<command>sssd</command> <emphasis>does not</emphasis> support authentication "
1399
"over an unencrypted channel. If the LDAP server is used only as an identity "
1400
"provider, an encrypted channel is not needed. Please refer to "
1401
"<quote>ldap_access_filter</quote> config option for more information about "
1402
"using LDAP as an access provider."
1405
#. type: Content of: <reference><refentry><refsect1><title>
1406
#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:61
1407
#: sssd-krb5.5.xml:63
1408
msgid "CONFIGURATION OPTIONS"
1411
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1412
#: sssd-ldap.5.xml:60
1413
msgid "ldap_uri (string)"
1416
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1417
#: sssd-ldap.5.xml:63
1419
"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
1420
"should connect in the order of preference. Refer to the <quote>FAILOVER</"
1421
"quote> section for more information on failover and server redundancy. If "
1422
"not specified, service discovery is enabled. For more information, refer to "
1423
"the <quote>SERVICE DISCOVERY</quote> section."
1426
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1427
#: sssd-ldap.5.xml:70
1428
msgid "The format of the URI must match the format defined in RFC 2732:"
1431
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1432
#: sssd-ldap.5.xml:73
1433
msgid "ldap[s]://<host>[:port]"
1436
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1437
#: sssd-ldap.5.xml:76
1439
"For explicit IPv6 addresses, <host> must be enclosed in brackets []"
1442
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1443
#: sssd-ldap.5.xml:79
1444
msgid "example: ldap://[fc00::126:25]:389"
1447
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1448
#: sssd-ldap.5.xml:85
1449
msgid "ldap_chpass_uri (string)"
1452
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1453
#: sssd-ldap.5.xml:88
1455
"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
1456
"in the order of preference to change the password of a user. Refer to the "
1457
"<quote>FAILOVER</quote> section for more information on failover and server "
1461
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1462
#: sssd-ldap.5.xml:95
1463
msgid "To enable service discovery ldap_chpass_dns_service_name must be set."
1466
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1467
#: sssd-ldap.5.xml:99
1468
msgid "Default: empty, i.e. ldap_uri is used."
1471
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1472
#: sssd-ldap.5.xml:105
1473
msgid "ldap_search_base (string)"
1476
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1477
#: sssd-ldap.5.xml:108
1478
msgid "The default base DN to use for performing LDAP user operations."
1481
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1482
#: sssd-ldap.5.xml:112
1484
"Default: If not set the value of the defaultNamingContext or namingContexts "
1485
"attribute from the RootDSE of the LDAP server is used. If "
1486
"defaultNamingContext does not exists or has an empty value namingContexts is "
1487
"used. The namingContexts attribute must have a single value with the DN of "
1488
"the search base of the LDAP server to make this work. Multiple values are "
1489
"are not supported."
1492
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1493
#: sssd-ldap.5.xml:126
1494
msgid "ldap_schema (string)"
1497
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1498
#: sssd-ldap.5.xml:129
1500
"Specifies the Schema Type in use on the target LDAP server. Depending on "
1501
"the selected schema, the default attribute names retrieved from the servers "
1502
"may vary. The way that some attributes are handled may also differ. Three "
1503
"schema types are currently supported: rfc2307 rfc2307bis IPA The main "
1504
"difference between these schema types is how group memberships are recorded "
1505
"in the server. With rfc2307, group members are listed by name in the "
1506
"<emphasis>memberUid</emphasis> attribute. With rfc2307bis and IPA, group "
1507
"members are listed by DN and stored in the <emphasis>member</emphasis> "
1511
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1512
#: sssd-ldap.5.xml:148
1513
msgid "Default: rfc2307"
1516
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1517
#: sssd-ldap.5.xml:154
1518
msgid "ldap_default_bind_dn (string)"
1521
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1522
#: sssd-ldap.5.xml:157
1523
msgid "The default bind DN to use for performing LDAP operations."
1526
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1527
#: sssd-ldap.5.xml:164
1528
msgid "ldap_default_authtok_type (string)"
1531
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1532
#: sssd-ldap.5.xml:167
1533
msgid "The type of the authentication token of the default bind DN."
1536
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1537
#: sssd-ldap.5.xml:171
1538
msgid "The two mechanisms currently supported are:"
1541
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1542
#: sssd-ldap.5.xml:174
1546
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1547
#: sssd-ldap.5.xml:177
1548
msgid "obfuscated_password"
1551
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1552
#: sssd-ldap.5.xml:180
1553
msgid "default: password"
1556
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1557
#: sssd-ldap.5.xml:186
1558
msgid "ldap_default_authtok (string)"
1561
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1562
#: sssd-ldap.5.xml:189
1564
"The authentication token of the default bind DN. Only clear text passwords "
1565
"are currently supported."
1568
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1569
#: sssd-ldap.5.xml:196
1570
msgid "ldap_user_object_class (string)"
1573
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1574
#: sssd-ldap.5.xml:199
1575
msgid "The object class of a user entry in LDAP."
1578
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1579
#: sssd-ldap.5.xml:202
1580
msgid "Default: posixAccount"
1583
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1584
#: sssd-ldap.5.xml:208
1585
msgid "ldap_user_name (string)"
1588
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1589
#: sssd-ldap.5.xml:211
1590
msgid "The LDAP attribute that corresponds to the user's login name."
1593
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1594
#: sssd-ldap.5.xml:215
1595
msgid "Default: uid"
1598
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1599
#: sssd-ldap.5.xml:221
1600
msgid "ldap_user_uid_number (string)"
1603
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1604
#: sssd-ldap.5.xml:224
1605
msgid "The LDAP attribute that corresponds to the user's id."
1608
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1609
#: sssd-ldap.5.xml:228
1610
msgid "Default: uidNumber"
1613
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1614
#: sssd-ldap.5.xml:234
1615
msgid "ldap_user_gid_number (string)"
1618
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1619
#: sssd-ldap.5.xml:237
1620
msgid "The LDAP attribute that corresponds to the user's primary group id."
1623
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1624
#: sssd-ldap.5.xml:241 sssd-ldap.5.xml:637
1625
msgid "Default: gidNumber"
1628
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1629
#: sssd-ldap.5.xml:247
1630
msgid "ldap_user_gecos (string)"
1633
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1634
#: sssd-ldap.5.xml:250
1635
msgid "The LDAP attribute that corresponds to the user's gecos field."
1638
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1639
#: sssd-ldap.5.xml:254
1640
msgid "Default: gecos"
1643
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1644
#: sssd-ldap.5.xml:260
1645
msgid "ldap_user_home_directory (string)"
1648
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1649
#: sssd-ldap.5.xml:263
1650
msgid "The LDAP attribute that contains the name of the user's home directory."
1653
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1654
#: sssd-ldap.5.xml:267
1655
msgid "Default: homeDirectory"
1658
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1659
#: sssd-ldap.5.xml:273
1660
msgid "ldap_user_shell (string)"
1663
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1664
#: sssd-ldap.5.xml:276
1665
msgid "The LDAP attribute that contains the path to the user's default shell."
1668
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1669
#: sssd-ldap.5.xml:280
1670
msgid "Default: loginShell"
1673
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1674
#: sssd-ldap.5.xml:286
1675
msgid "ldap_user_uuid (string)"
1678
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1679
#: sssd-ldap.5.xml:289
1680
msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object."
1683
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1684
#: sssd-ldap.5.xml:293 sssd-ldap.5.xml:663 sssd-ldap.5.xml:756
1685
msgid "Default: nsUniqueId"
1688
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1689
#: sssd-ldap.5.xml:299
1690
msgid "ldap_user_modify_timestamp (string)"
1693
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1694
#: sssd-ldap.5.xml:302 sssd-ldap.5.xml:672 sssd-ldap.5.xml:765
1696
"The LDAP attribute that contains timestamp of the last modification of the "
1700
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1701
#: sssd-ldap.5.xml:306 sssd-ldap.5.xml:676 sssd-ldap.5.xml:769
1702
msgid "Default: modifyTimestamp"
1705
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1706
#: sssd-ldap.5.xml:312
1707
msgid "ldap_user_shadow_last_change (string)"
1710
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1711
#: sssd-ldap.5.xml:315
1713
"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
1714
"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
1715
"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of "
1716
"the last password change)."
1719
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1720
#: sssd-ldap.5.xml:325
1721
msgid "Default: shadowLastChange"
1724
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1725
#: sssd-ldap.5.xml:331
1726
msgid "ldap_user_shadow_min (string)"
1729
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1730
#: sssd-ldap.5.xml:334
1732
"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
1733
"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
1734
"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum "
1738
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1739
#: sssd-ldap.5.xml:343
1740
msgid "Default: shadowMin"
1743
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1744
#: sssd-ldap.5.xml:349
1745
msgid "ldap_user_shadow_max (string)"
1748
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1749
#: sssd-ldap.5.xml:352
1751
"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
1752
"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
1753
"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum "
1757
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1758
#: sssd-ldap.5.xml:361
1759
msgid "Default: shadowMax"
1762
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1763
#: sssd-ldap.5.xml:367
1764
msgid "ldap_user_shadow_warning (string)"
1767
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1768
#: sssd-ldap.5.xml:370
1770
"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
1771
"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
1772
"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart "
1773
"(password warning period)."
1776
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1777
#: sssd-ldap.5.xml:380
1778
msgid "Default: shadowWarning"
1781
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1782
#: sssd-ldap.5.xml:386
1783
msgid "ldap_user_shadow_inactive (string)"
1786
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1787
#: sssd-ldap.5.xml:389
1789
"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
1790
"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
1791
"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart "
1792
"(password inactivity period)."
1795
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1796
#: sssd-ldap.5.xml:399
1797
msgid "Default: shadowInactive"
1800
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1801
#: sssd-ldap.5.xml:405
1802
msgid "ldap_user_shadow_expire (string)"
1805
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1806
#: sssd-ldap.5.xml:408
1808
"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this "
1809
"parameter contains the name of an LDAP attribute corresponding to its "
1810
"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</"
1811
"manvolnum> </citerefentry> counterpart (account expiration date)."
1814
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1815
#: sssd-ldap.5.xml:418
1816
msgid "Default: shadowExpire"
1819
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1820
#: sssd-ldap.5.xml:424
1821
msgid "ldap_user_krb_last_pwd_change (string)"
1824
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1825
#: sssd-ldap.5.xml:427
1827
"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
1828
"an LDAP attribute storing the date and time of last password change in "
1832
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1833
#: sssd-ldap.5.xml:433
1834
msgid "Default: krbLastPwdChange"
1837
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1838
#: sssd-ldap.5.xml:439
1839
msgid "ldap_user_krb_password_expiration (string)"
1842
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1843
#: sssd-ldap.5.xml:442
1845
"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
1846
"an LDAP attribute storing the date and time when current password expires."
1849
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1850
#: sssd-ldap.5.xml:448
1851
msgid "Default: krbPasswordExpiration"
1854
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1855
#: sssd-ldap.5.xml:454
1856
msgid "ldap_user_ad_account_expires (string)"
1859
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1860
#: sssd-ldap.5.xml:457
1862
"When using ldap_account_expire_policy=ad, this parameter contains the name "
1863
"of an LDAP attribute storing the expiration time of the account."
1866
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1867
#: sssd-ldap.5.xml:462
1868
msgid "Default: accountExpires"
1871
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1872
#: sssd-ldap.5.xml:468
1873
msgid "ldap_user_ad_user_account_control (string)"
1876
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1877
#: sssd-ldap.5.xml:471
1879
"When using ldap_account_expire_policy=ad, this parameter contains the name "
1880
"of an LDAP attribute storing the user account control bit field."
1883
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1884
#: sssd-ldap.5.xml:476
1885
msgid "Default: userAccountControl"
1888
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1889
#: sssd-ldap.5.xml:482
1890
msgid "ldap_ns_account_lock (string)"
1893
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1894
#: sssd-ldap.5.xml:485
1896
"When using ldap_account_expire_policy=rhds or equivalent, this parameter "
1897
"determines if access is allowed or not."
1900
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1901
#: sssd-ldap.5.xml:490
1902
msgid "Default: nsAccountLock"
1905
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1906
#: sssd-ldap.5.xml:496
1907
msgid "ldap_user_principal (string)"
1910
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1911
#: sssd-ldap.5.xml:499
1913
"The LDAP attribute that contains the user's Kerberos User Principal Name "
1917
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1918
#: sssd-ldap.5.xml:503
1919
msgid "Default: krbPrincipalName"
1922
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1923
#: sssd-ldap.5.xml:509
1924
msgid "ldap_force_upper_case_realm (boolean)"
1927
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1928
#: sssd-ldap.5.xml:512
1930
"Some directory servers, for example Active Directory, might deliver the "
1931
"realm part of the UPN in lower case, which might cause the authentication to "
1932
"fail. Set this option to a non-zero value if you want to use an upper-case "
1936
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1937
#: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
1938
#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
1939
msgid "Default: false"
1942
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1943
#: sssd-ldap.5.xml:525
1944
msgid "ldap_enumeration_refresh_timeout (integer)"
1947
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1948
#: sssd-ldap.5.xml:528
1950
"The LDAP attribute that contains how many seconds SSSD has to wait before "
1951
"refreshing its cache of enumerated records."
1954
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1955
#: sssd-ldap.5.xml:533
1956
msgid "Default: 300"
1959
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1960
#: sssd-ldap.5.xml:539
1961
msgid "ldap_purge_cache_timeout"
1964
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1965
#: sssd-ldap.5.xml:542
1967
"Determine how often to check the cache for inactive entries (such as groups "
1968
"with no members and users who have never logged in) and remove them to save "
1972
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1973
#: sssd-ldap.5.xml:548
1974
msgid "Setting this option to zero will disable the cache cleanup operation."
1977
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1978
#: sssd-ldap.5.xml:552
1979
msgid "Default: 10800 (12 hours)"
1982
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1983
#: sssd-ldap.5.xml:558
1984
msgid "ldap_user_fullname (string)"
1987
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1988
#: sssd-ldap.5.xml:561
1989
msgid "The LDAP attribute that corresponds to the user's full name."
1992
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1993
#: sssd-ldap.5.xml:565 sssd-ldap.5.xml:624 sssd-ldap.5.xml:717
1997
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1998
#: sssd-ldap.5.xml:571
1999
msgid "ldap_user_member_of (string)"
2002
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2003
#: sssd-ldap.5.xml:574
2004
msgid "The LDAP attribute that lists the user's group memberships."
2007
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2008
#: sssd-ldap.5.xml:578
2009
msgid "Default: memberOf"
2012
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2013
#: sssd-ldap.5.xml:584
2014
msgid "ldap_user_authorized_service (string)"
2017
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2018
#: sssd-ldap.5.xml:587
2020
"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will "
2021
"use the presence of the authorizedService attribute in the user's LDAP entry "
2022
"to determine access privilege."
2025
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2026
#: sssd-ldap.5.xml:594
2028
"An explicit deny (!svc) is resolved first. Second, SSSD searches for "
2029
"explicit allow (svc) and finally for allow_all (*)."
2032
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2033
#: sssd-ldap.5.xml:599
2034
msgid "Default: authorizedService"
2037
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2038
#: sssd-ldap.5.xml:605
2039
msgid "ldap_group_object_class (string)"
2042
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2043
#: sssd-ldap.5.xml:608
2044
msgid "The object class of a group entry in LDAP."
2047
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2048
#: sssd-ldap.5.xml:611
2049
msgid "Default: posixGroup"
2052
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2053
#: sssd-ldap.5.xml:617
2054
msgid "ldap_group_name (string)"
2057
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2058
#: sssd-ldap.5.xml:620
2059
msgid "The LDAP attribute that corresponds to the group name."
2062
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2063
#: sssd-ldap.5.xml:630
2064
msgid "ldap_group_gid_number (string)"
2067
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2068
#: sssd-ldap.5.xml:633
2069
msgid "The LDAP attribute that corresponds to the group's id."
2072
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2073
#: sssd-ldap.5.xml:643
2074
msgid "ldap_group_member (string)"
2077
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2078
#: sssd-ldap.5.xml:646
2079
msgid "The LDAP attribute that contains the names of the group's members."
2082
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2083
#: sssd-ldap.5.xml:650
2084
msgid "Default: memberuid (rfc2307) / member (rfc2307bis)"
2087
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2088
#: sssd-ldap.5.xml:656
2089
msgid "ldap_group_uuid (string)"
2092
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2093
#: sssd-ldap.5.xml:659
2094
msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object."
2097
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2098
#: sssd-ldap.5.xml:669
2099
msgid "ldap_group_modify_timestamp (string)"
2102
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2103
#: sssd-ldap.5.xml:682
2104
msgid "ldap_group_nesting_level (integer)"
2107
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2108
#: sssd-ldap.5.xml:685
2110
"If ldap_schema is set to a schema format that supports nested groups (e.g. "
2111
"RFC2307bis), then this option controls how many levels of nesting SSSD will "
2112
"follow. This option has no effect on the RFC2307 schema."
2115
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2116
#: sssd-ldap.5.xml:692
2120
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2121
#: sssd-ldap.5.xml:698
2122
msgid "ldap_netgroup_object_class (string)"
2125
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2126
#: sssd-ldap.5.xml:701
2127
msgid "The object class of a netgroup entry in LDAP."
2130
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2131
#: sssd-ldap.5.xml:704
2132
msgid "Default: nisNetgroup"
2135
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2136
#: sssd-ldap.5.xml:710
2137
msgid "ldap_netgroup_name (string)"
2140
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2141
#: sssd-ldap.5.xml:713
2142
msgid "The LDAP attribute that corresponds to the netgroup name."
2145
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2146
#: sssd-ldap.5.xml:723
2147
msgid "ldap_netgroup_member (string)"
2150
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2151
#: sssd-ldap.5.xml:726
2152
msgid "The LDAP attribute that contains the names of the netgroup's members."
2155
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2156
#: sssd-ldap.5.xml:730
2157
msgid "Default: memberNisNetgroup"
2160
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2161
#: sssd-ldap.5.xml:736
2162
msgid "ldap_netgroup_triple (string)"
2165
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2166
#: sssd-ldap.5.xml:739
2168
"The LDAP attribute that contains the (host, user, domain) netgroup triples."
2171
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2172
#: sssd-ldap.5.xml:743
2173
msgid "Default: nisNetgroupTriple"
2176
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2177
#: sssd-ldap.5.xml:749
2178
msgid "ldap_netgroup_uuid (string)"
2181
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2182
#: sssd-ldap.5.xml:752
2184
"The LDAP attribute that contains the UUID/GUID of an LDAP netgroup object."
2187
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2188
#: sssd-ldap.5.xml:762
2189
msgid "ldap_netgroup_modify_timestamp (string)"
2192
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2193
#: sssd-ldap.5.xml:775
2194
msgid "ldap_search_timeout (integer)"
2197
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2198
#: sssd-ldap.5.xml:778
2200
"Specifies the timeout (in seconds) that ldap searches are allowed to run "
2201
"before they are cancelled and cached results are returned (and offline mode "
2205
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2206
#: sssd-ldap.5.xml:784
2208
"Note: this option is subject to change in future versions of the SSSD. It "
2209
"will likely be replaced at some point by a series of timeouts for specific "
2213
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2214
#: sssd-ldap.5.xml:790 sssd-ldap.5.xml:832 sssd-ldap.5.xml:847
2218
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2219
#: sssd-ldap.5.xml:796
2220
msgid "ldap_enumeration_search_timeout (integer)"
2223
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2224
#: sssd-ldap.5.xml:799
2226
"Specifies the timeout (in seconds) that ldap searches for user and group "
2227
"enumerations are allowed to run before they are cancelled and cached results "
2228
"are returned (and offline mode is entered)"
2231
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2232
#: sssd-ldap.5.xml:806
2236
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2237
#: sssd-ldap.5.xml:812
2238
msgid "ldap_network_timeout (integer)"
2241
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2242
#: sssd-ldap.5.xml:815
2244
"Specifies the timeout (in seconds) after which the <citerefentry> "
2245
"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/"
2246
"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</"
2247
"manvolnum> </citerefentry> following a <citerefentry> "
2248
"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </"
2249
"citerefentry> returns in case of no activity."
2252
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2253
#: sssd-ldap.5.xml:838
2254
msgid "ldap_opt_timeout (integer)"
2257
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2258
#: sssd-ldap.5.xml:841
2260
"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs "
2261
"will abort if no response is received. Also controls the timeout when "
2262
"communicating with the KDC in case of SASL bind."
2265
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2266
#: sssd-ldap.5.xml:853
2267
msgid "ldap_page_size (integer)"
2270
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2271
#: sssd-ldap.5.xml:856
2273
"Specify the number of records to retrieve from LDAP in a single request. "
2274
"Some LDAP servers enforce a maximum limit per-request."
2277
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2278
#: sssd-ldap.5.xml:861
2279
msgid "Default: 1000"
2282
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2283
#: sssd-ldap.5.xml:867
2284
msgid "ldap_tls_reqcert (string)"
2287
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2288
#: sssd-ldap.5.xml:870
2290
"Specifies what checks to perform on server certificates in a TLS session, if "
2291
"any. It can be specified as one of the following values:"
2294
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2295
#: sssd-ldap.5.xml:876
2297
"<emphasis>never</emphasis> = The client will not request or check any server "
2301
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2302
#: sssd-ldap.5.xml:880
2304
"<emphasis>allow</emphasis> = The server certificate is requested. If no "
2305
"certificate is provided, the session proceeds normally. If a bad certificate "
2306
"is provided, it will be ignored and the session proceeds normally."
2309
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2310
#: sssd-ldap.5.xml:887
2312
"<emphasis>try</emphasis> = The server certificate is requested. If no "
2313
"certificate is provided, the session proceeds normally. If a bad certificate "
2314
"is provided, the session is immediately terminated."
2317
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2318
#: sssd-ldap.5.xml:893
2320
"<emphasis>demand</emphasis> = The server certificate is requested. If no "
2321
"certificate is provided, or a bad certificate is provided, the session is "
2322
"immediately terminated."
2325
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2326
#: sssd-ldap.5.xml:899
2327
msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
2330
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2331
#: sssd-ldap.5.xml:903
2332
msgid "Default: hard"
2335
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2336
#: sssd-ldap.5.xml:909
2337
msgid "ldap_tls_cacert (string)"
2340
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2341
#: sssd-ldap.5.xml:912
2343
"Specifies the file that contains certificates for all of the Certificate "
2344
"Authorities that <command>sssd</command> will recognize."
2347
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2348
#: sssd-ldap.5.xml:917 sssd-ldap.5.xml:935 sssd-ldap.5.xml:976
2350
"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
2354
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2355
#: sssd-ldap.5.xml:924
2356
msgid "ldap_tls_cacertdir (string)"
2359
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2360
#: sssd-ldap.5.xml:927
2362
"Specifies the path of a directory that contains Certificate Authority "
2363
"certificates in separate individual files. Typically the file names need to "
2364
"be the hash of the certificate followed by '.0'. If available, "
2365
"<command>cacertdir_rehash</command> can be used to create the correct names."
2368
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2369
#: sssd-ldap.5.xml:942
2370
msgid "ldap_tls_cert (string)"
2373
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2374
#: sssd-ldap.5.xml:945
2375
msgid "Specifies the file that contains the certificate for the client's key."
2378
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2379
#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
2380
msgid "Default: not set"
2383
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2384
#: sssd-ldap.5.xml:955
2385
msgid "ldap_tls_key (string)"
2388
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2389
#: sssd-ldap.5.xml:958
2390
msgid "Specifies the file that contains the client's key."
2393
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2394
#: sssd-ldap.5.xml:967
2395
msgid "ldap_tls_cipher_suite (string)"
2398
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2399
#: sssd-ldap.5.xml:970
2401
"Specifies acceptable cipher suites. Typically this is a colon sperated "
2402
"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
2403
"<manvolnum>5</manvolnum></citerefentry> for format."
2406
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2407
#: sssd-ldap.5.xml:983
2408
msgid "ldap_id_use_start_tls (boolean)"
2411
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2412
#: sssd-ldap.5.xml:986
2414
"Specifies that the id_provider connection must also use <systemitem class="
2415
"\"protocol\">tls</systemitem> to protect the channel."
2418
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2419
#: sssd-ldap.5.xml:996
2420
msgid "ldap_sasl_mech (string)"
2423
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2424
#: sssd-ldap.5.xml:999
2426
"Specify the SASL mechanism to use. Currently only GSSAPI is tested and "
2430
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2431
#: sssd-ldap.5.xml:1003 sssd-ldap.5.xml:1131
2432
msgid "Default: none"
2435
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2436
#: sssd-ldap.5.xml:1009
2437
msgid "ldap_sasl_authid (string)"
2440
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2441
#: sssd-ldap.5.xml:1012
2443
"Specify the SASL authorization id to use. When GSSAPI is used, this "
2444
"represents the Kerberos principal used for authentication to the directory."
2447
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2448
#: sssd-ldap.5.xml:1017
2449
msgid "Default: host/machine.fqdn@REALM"
2452
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2453
#: sssd-ldap.5.xml:1023
2454
msgid "ldap_krb5_keytab (string)"
2457
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2458
#: sssd-ldap.5.xml:1026
2459
msgid "Specify the keytab to use when using SASL/GSSAPI."
2462
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2463
#: sssd-ldap.5.xml:1029
2464
msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
2467
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2468
#: sssd-ldap.5.xml:1035
2469
msgid "ldap_krb5_init_creds (boolean)"
2472
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2473
#: sssd-ldap.5.xml:1038
2475
"Specifies that the id_provider should init Kerberos credentials (TGT). This "
2476
"action is performed only if SASL is used and the mechanism selected is "
2480
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2481
#: sssd-ldap.5.xml:1050
2482
msgid "ldap_krb5_ticket_lifetime (integer)"
2485
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2486
#: sssd-ldap.5.xml:1053
2487
msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
2490
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2491
#: sssd-ldap.5.xml:1057
2492
msgid "Default: 86400 (24 hours)"
2495
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2496
#: sssd-ldap.5.xml:1063 sssd-krb5.5.xml:74
2497
msgid "krb5_server (string)"
2500
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2501
#: sssd-ldap.5.xml:1066 sssd-krb5.5.xml:77
2503
"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
2504
"which SSSD should connect in the order of preference. For more information "
2505
"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
2506
"An optional port number (preceded by a colon) may be appended to the "
2507
"addresses or hostnames. If empty, service discovery is enabled - for more "
2508
"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
2511
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2512
#: sssd-ldap.5.xml:1078 sssd-krb5.5.xml:89
2514
"When using service discovery for KDC or kpasswd servers, SSSD first searches "
2515
"for DNS entries that specify _udp as the protocol and falls back to _tcp if "
2519
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2520
#: sssd-ldap.5.xml:1083 sssd-krb5.5.xml:94
2522
"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
2523
"While the legacy name is recognized for the time being, users are advised to "
2524
"migrate their config files to use <quote>krb5_server</quote> instead."
2527
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2528
#: sssd-ldap.5.xml:1092 sssd-ipa.5.xml:165 sssd-krb5.5.xml:103
2529
msgid "krb5_realm (string)"
2532
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2533
#: sssd-ldap.5.xml:1095
2534
msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
2537
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2538
#: sssd-ldap.5.xml:1098
2539
msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
2542
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2543
#: sssd-ldap.5.xml:1104
2544
msgid "ldap_pwd_policy (string)"
2547
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2548
#: sssd-ldap.5.xml:1107
2550
"Select the policy to evaluate the password expiration on the client side. "
2551
"The following values are allowed:"
2554
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2555
#: sssd-ldap.5.xml:1112
2557
"<emphasis>none</emphasis> - No evaluation on the client side. This option "
2558
"cannot disable server-side password policies."
2561
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2562
#: sssd-ldap.5.xml:1117
2564
"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
2565
"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
2566
"evaluate if the password has expired. Note that the current version of sssd "
2567
"cannot update this attribute during a password change."
2570
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2571
#: sssd-ldap.5.xml:1125
2573
"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
2574
"to determine if the password has expired. Use chpass_provider=krb5 to update "
2575
"these attributes when the password is changed."
2578
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2579
#: sssd-ldap.5.xml:1137
2580
msgid "ldap_referrals (boolean)"
2583
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2584
#: sssd-ldap.5.xml:1140
2585
msgid "Specifies whether automatic referral chasing should be enabled."
2588
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2589
#: sssd-ldap.5.xml:1144
2591
"Please note that sssd only supports referral chasing when it is compiled "
2592
"with OpenLDAP version 2.4.13 or higher."
2595
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2596
#: sssd-ldap.5.xml:1155
2597
msgid "ldap_dns_service_name (string)"
2600
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2601
#: sssd-ldap.5.xml:1158
2602
msgid "Specifies the service name to use when service discovery is enabled."
2605
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2606
#: sssd-ldap.5.xml:1162
2607
msgid "Default: ldap"
2610
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2611
#: sssd-ldap.5.xml:1168
2612
msgid "ldap_chpass_dns_service_name (string)"
2615
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2616
#: sssd-ldap.5.xml:1171
2618
"Specifies the service name to use to find an LDAP server which allows "
2619
"password changes when service discovery is enabled."
2622
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2623
#: sssd-ldap.5.xml:1176
2624
msgid "Default: not set, i.e. service discovery is disabled"
2627
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2628
#: sssd-ldap.5.xml:1182
2629
msgid "ldap_access_filter (string)"
2632
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2633
#: sssd-ldap.5.xml:1185
2635
"If using access_provider = ldap, this option is mandatory. It specifies an "
2636
"LDAP search filter criteria that must be met for the user to be granted "
2637
"access on this host. If access_provider = ldap and this option is not set, "
2638
"it will result in all users being denied access. Use access_provider = allow "
2639
"to change this default behavior."
2642
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2643
#: sssd-ldap.5.xml:1195
2647
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
2648
#: sssd-ldap.5.xml:1198
2651
"access_provider = ldap\n"
2652
"ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com\n"
2656
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2657
#: sssd-ldap.5.xml:1202
2659
"This example means that access to this host is restricted to members of the "
2660
"\"allowedusers\" group in ldap."
2663
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2664
#: sssd-ldap.5.xml:1207
2666
"Offline caching for this feature is limited to determining whether the "
2667
"user's last online login was granted access permission. If they were granted "
2668
"access during their last login, they will continue to be granted access "
2669
"while offline and vice-versa."
2672
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2673
#: sssd-ldap.5.xml:1215 sssd-ldap.5.xml:1256
2674
msgid "Default: Empty"
2677
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2678
#: sssd-ldap.5.xml:1221
2679
msgid "ldap_account_expire_policy (string)"
2682
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2683
#: sssd-ldap.5.xml:1224
2685
"With this option a client side evaluation of access control attributes can "
2689
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2690
#: sssd-ldap.5.xml:1228
2692
"Please note that it is always recommended to use server side access control, "
2693
"i.e. the LDAP server should deny the bind request with a suitable error code "
2694
"even if the password is correct."
2697
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2698
#: sssd-ldap.5.xml:1235
2699
msgid "The following values are allowed:"
2702
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2703
#: sssd-ldap.5.xml:1238
2705
"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
2706
"determine if the account is expired."
2709
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2710
#: sssd-ldap.5.xml:1243
2712
"<emphasis>ad</emphasis>: use the value of the 32bit field "
2713
"ldap_user_ad_user_account_control and allow access if the second bit is not "
2714
"set. If the attribute is missing access is granted. Also the expiration time "
2715
"of the account is checked."
2718
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2719
#: sssd-ldap.5.xml:1250
2721
"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
2722
"emphasis>: use the value of ldap_ns_account_lock to check if access is "
2726
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2727
#: sssd-ldap.5.xml:1262
2728
msgid "ldap_access_order (string)"
2731
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2732
#: sssd-ldap.5.xml:1265
2733
msgid "Comma separated list of access control options. Allowed values are:"
2736
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2737
#: sssd-ldap.5.xml:1269
2738
msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
2741
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2742
#: sssd-ldap.5.xml:1272
2743
msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
2746
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2747
#: sssd-ldap.5.xml:1276
2749
"<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
2750
"to determine access"
2753
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2754
#: sssd-ldap.5.xml:1281
2755
msgid "Default: filter"
2758
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2759
#: sssd-ldap.5.xml:1284
2761
"Please note that it is a configuration error if a value is used more than "
2765
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2766
#: sssd-ldap.5.xml:1291
2767
msgid "ldap_deref (string)"
2770
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2771
#: sssd-ldap.5.xml:1294
2773
"Specifies how alias dereferencing is done when performing a search. The "
2774
"following options are allowed:"
2777
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2778
#: sssd-ldap.5.xml:1299
2779
msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
2782
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2783
#: sssd-ldap.5.xml:1303
2785
"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
2786
"the base object, but not in locating the base object of the search."
2789
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2790
#: sssd-ldap.5.xml:1308
2792
"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
2793
"the base object of the search."
2796
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2797
#: sssd-ldap.5.xml:1313
2799
"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
2800
"in locating the base object of the search."
2803
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2804
#: sssd-ldap.5.xml:1318
2806
"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
2810
#. type: Content of: <reference><refentry><refsect1><para>
2811
#: sssd-ldap.5.xml:51
2813
"All of the common configuration options that apply to SSSD domains also "
2814
"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section "
2815
"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
2816
"manvolnum> </citerefentry> manual page for full details. <placeholder type="
2817
"\"variablelist\" id=\"0\"/>"
2820
#. type: Content of: <reference><refentry><refsect1><title>
2821
#: sssd-ldap.5.xml:1330
2822
msgid "ADVANCED OPTIONS"
2825
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2826
#: sssd-ldap.5.xml:1337
2827
msgid "ldap_netgroup_search_base (string)"
2830
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2831
#: sssd-ldap.5.xml:1340
2833
"An optional base DN to restrict netgroup searches to a specific subtree."
2836
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2837
#: sssd-ldap.5.xml:1344 sssd-ldap.5.xml:1358 sssd-ldap.5.xml:1372
2838
msgid "Default: the value of <emphasis>ldap_search_base</emphasis>"
2841
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2842
#: sssd-ldap.5.xml:1351
2843
msgid "ldap_user_search_base (string)"
2846
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2847
#: sssd-ldap.5.xml:1354
2848
msgid "An optional base DN to restrict user searches to a specific subtree."
2851
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2852
#: sssd-ldap.5.xml:1365
2853
msgid "ldap_group_search_base (string)"
2856
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2857
#: sssd-ldap.5.xml:1368
2858
msgid "An optional base DN to restrict group searches to a specific subtree."
2861
#. type: Content of: <reference><refentry><refsect1><para>
2862
#: sssd-ldap.5.xml:1332
2864
"These options are supported by LDAP domains, but they should be used with "
2865
"caution. Please include them in your configuration only if you know what you "
2866
"are doing. <placeholder type=\"variablelist\" id=\"0\"/>"
2869
#. type: Content of: <reference><refentry><refsect1><para>
2870
#: sssd-ldap.5.xml:1388
2872
"The following example assumes that SSSD is correctly configured and LDAP is "
2873
"set to one of the domains in the <replaceable>[domains]</replaceable> "
2877
#. type: Content of: <reference><refentry><refsect1><para><programlisting>
2878
#: sssd-ldap.5.xml:1394
2882
" id_provider = ldap\n"
2883
" auth_provider = ldap\n"
2884
" ldap_uri = ldap://ldap.mydomain.org\n"
2885
" ldap_search_base = dc=mydomain,dc=org\n"
2886
" ldap_tls_reqcert = demand\n"
2887
" cache_credentials = true\n"
2888
" enumerate = true\n"
2891
#. type: Content of: <reference><refentry><refsect1><para>
2892
#: sssd-ldap.5.xml:1393 sssd-simple.5.xml:134 sssd-ipa.5.xml:196
2893
#: sssd-krb5.5.xml:414
2894
msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
2897
#. type: Content of: <reference><refentry><refsect1><title>
2898
#: sssd-ldap.5.xml:1407 sssd_krb5_locator_plugin.8.xml:61
2902
#. type: Content of: <reference><refentry><refsect1><para>
2903
#: sssd-ldap.5.xml:1409
2905
"The descriptions of some of the configuration options in this manual page "
2906
"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
2907
"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 "
2911
#. type: Content of: <reference><refentry><refsect1><para>
2912
#: sssd-ldap.5.xml:1420
2914
"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
2915
"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
2916
"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
2917
"<refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </citerefentry>"
2920
#. type: Content of: <refentryinfo>
2921
#: pam_sss.8.xml:8 include/upstream.xml:2
2923
"<productname>SSSD</productname> <orgname>The SSSD upstream - http://"
2924
"fedorahosted.org/sssd</orgname>"
2927
#. type: Content of: <reference><refentry><refnamediv><refname>
2928
#: pam_sss.8.xml:13 pam_sss.8.xml:18
2932
#. type: Content of: <reference><refentry><refnamediv><refpurpose>
2934
msgid "PAM module for SSSD"
2937
#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
2940
"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
2941
"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
2942
"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
2943
"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
2947
#. type: Content of: <reference><refentry><refsect1><para>
2950
"<command>pam_sss.so</command> is the PAM interface to the System Security "
2951
"Services daemon (SSSD). Errors and results are logged through <command>syslog"
2952
"(3)</command> with the LOG_AUTHPRIV facility."
2955
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
2957
msgid "<option>forward_pass</option>"
2960
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
2963
"If <option>forward_pass</option> is set the entered password is put on the "
2964
"stack for other PAM modules to use."
2967
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
2969
msgid "<option>use_first_pass</option>"
2972
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
2975
"The argument use_first_pass forces the module to use a previous stacked "
2976
"modules password and will never prompt the user - if no password is "
2977
"available or the password is not appropriate, the user will be denied access."
2980
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
2982
msgid "<option>use_authtok</option>"
2985
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
2988
"When password changing enforce the module to set the new password to the one "
2989
"provided by a previously stacked password module."
2992
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
2994
msgid "<option>retry=N</option>"
2997
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3000
"If specified the user is asked another N times for a password if "
3001
"authentication fails. Default is 0."
3004
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3007
"Please note that this option might not work as expected if the application "
3008
"calling PAM handles the user dialog on its own. A typical example is "
3009
"<command>sshd</command> with <option>PasswordAuthentication</option>."
3012
#. type: Content of: <reference><refentry><refsect1><title>
3014
msgid "MODULE TYPES PROVIDED"
3017
#. type: Content of: <reference><refentry><refsect1><para>
3018
#: pam_sss.8.xml:100
3020
"All module types (<option>account</option>, <option>auth</option>, "
3021
"<option>password</option> and <option>session</option>) are provided."
3024
#. type: Content of: <reference><refentry><refsect1><title>
3025
#: pam_sss.8.xml:106
3029
#. type: Content of: <reference><refentry><refsect1><para>
3030
#: pam_sss.8.xml:107
3032
"If a password reset by root fails, because the corresponding SSSD provider "
3033
"does not support password resets, an individual message can be displayed. "
3034
"This message can e.g. contain instructions about how to reset a password."
3037
#. type: Content of: <reference><refentry><refsect1><para>
3038
#: pam_sss.8.xml:112
3040
"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
3041
"filename> where LOC stands for a locale string returned by <citerefentry> "
3042
"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </"
3043
"citerefentry>. If there is no matching file the content of "
3044
"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be "
3045
"the owner of the files and only root may have read and write permissions "
3046
"while all other users must have only read permisssions."
3049
#. type: Content of: <reference><refentry><refsect1><para>
3050
#: pam_sss.8.xml:122
3052
"These files are searched in the directory <filename>/etc/sssd/customize/"
3053
"DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
3057
#. type: Content of: <reference><refentry><refsect1><para>
3058
#: pam_sss.8.xml:130
3060
"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
3061
"manvolnum> </citerefentry>"
3064
#. type: Content of: <reference><refentry><refnamediv><refname>
3065
#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15
3066
msgid "sssd_krb5_locator_plugin"
3069
#. type: Content of: <reference><refentry><refsect1><para>
3070
#: sssd_krb5_locator_plugin.8.xml:22
3072
"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is "
3073
"used by the Kerberos provider of <citerefentry> <refentrytitle>sssd</"
3074
"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> to tell the Kerberos "
3075
"libraries what Realm and which KDC to use. Typically this is done in "
3076
"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</"
3077
"manvolnum> </citerefentry> which is always read by the Kerberos libraries. "
3078
"To simplyfy the configuration the Realm and the KDC can be defined in "
3079
"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
3080
"manvolnum> </citerefentry> as described in <citerefentry> "
3081
"<refentrytitle>sssd-krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </"
3085
#. type: Content of: <reference><refentry><refsect1><para>
3086
#: sssd_krb5_locator_plugin.8.xml:48
3088
"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
3089
"</citerefentry> puts the Realm and the name or IP address of the KDC into "
3090
"the environment variables SSSD_KRB5_REALM and SSSD_KRB5_KDC respectively. "
3091
"When <command>sssd_krb5_locator_plugin</command> is called by the kerberos "
3092
"libraries it reads and evaluates these variable and returns them to the "
3096
#. type: Content of: <reference><refentry><refsect1><para>
3097
#: sssd_krb5_locator_plugin.8.xml:63
3099
"Not all Kerberos implementations support the use of plugins. If "
3100
"<command>sssd_krb5_locator_plugin</command> is not available on your system "
3101
"you have to edit /etc/krb5.conf to reflect your Kerberos setup."
3104
#. type: Content of: <reference><refentry><refsect1><para>
3105
#: sssd_krb5_locator_plugin.8.xml:69
3107
"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value "
3108
"debug messages will be sent to stderr."
3111
#. type: Content of: <reference><refentry><refsect1><para>
3112
#: sssd_krb5_locator_plugin.8.xml:77
3114
"<citerefentry> <refentrytitle>sssd-krb5</refentrytitle><manvolnum>5</"
3115
"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd.conf</"
3116
"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
3117
"<refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </citerefentry>"
3120
#. type: Content of: <reference><refentry><refnamediv><refname>
3121
#: sssd-simple.5.xml:10 sssd-simple.5.xml:16
3125
#. type: Content of: <reference><refentry><refnamediv><refpurpose>
3126
#: sssd-simple.5.xml:17
3127
msgid "the configuration file for SSSD's 'simple' access-control provider"
3130
#. type: Content of: <reference><refentry><refsect1><para>
3131
#: sssd-simple.5.xml:24
3133
"This manual page describes the configuration of the simple access-control "
3134
"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> "
3135
"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, "
3136
"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> "
3137
"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
3138
"citerefentry> manual page."
3141
#. type: Content of: <reference><refentry><refsect1><para>
3142
#: sssd-simple.5.xml:38
3144
"The simple access provider grants or denies access based on an access or "
3145
"deny list of user or group names. The following rules apply:"
3148
#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
3149
#: sssd-simple.5.xml:43
3150
msgid "If all lists are empty, access is granted"
3153
#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
3154
#: sssd-simple.5.xml:47
3156
"If any list is provided, the order of evaluation is allow,deny. This means "
3157
"that any matching deny rule will supersede any matched allow rule."
3160
#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
3161
#: sssd-simple.5.xml:54
3163
"If either or both \"allow\" lists are provided, all users are denied unless "
3164
"they appear in the list."
3167
#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
3168
#: sssd-simple.5.xml:60
3170
"If only \"deny\" lists are provided, all users are granted access unless "
3171
"they appear in the list."
3174
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
3175
#: sssd-simple.5.xml:78
3176
msgid "simple_allow_users (string)"
3179
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3180
#: sssd-simple.5.xml:81
3181
msgid "Comma separated list of users who are allowed to log in."
3184
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
3185
#: sssd-simple.5.xml:88
3186
msgid "simple_deny_users (string)"
3189
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3190
#: sssd-simple.5.xml:91
3191
msgid "Comma separated list of users who are explicitly denied access."
3194
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
3195
#: sssd-simple.5.xml:97
3196
msgid "simple_allow_groups (string)"
3199
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3200
#: sssd-simple.5.xml:100
3202
"Comma separated list of groups that are allowed to log in. This applies only "
3203
"to groups within this SSSD domain. Local groups are not evaluated."
3206
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
3207
#: sssd-simple.5.xml:108
3208
msgid "simple_deny_groups (string)"
3211
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3212
#: sssd-simple.5.xml:111
3214
"Comma separated list of groups that are explicitly denied access. This "
3215
"applies only to groups within this SSSD domain. Local groups are not "
3219
#. type: Content of: <reference><refentry><refsect1><para>
3220
#: sssd-simple.5.xml:70 sssd-ipa.5.xml:62
3222
"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
3223
"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
3224
"citerefentry> manual page for details on the configuration of an SSSD "
3225
"domain. <placeholder type=\"variablelist\" id=\"0\"/>"
3228
#. type: Content of: <reference><refentry><refsect1><para>
3229
#: sssd-simple.5.xml:120
3231
"Please note that it is an configuration error if both, simple_allow_users "
3232
"and simple_deny_users, are defined."
3235
#. type: Content of: <reference><refentry><refsect1><para>
3236
#: sssd-simple.5.xml:128
3238
"The following example assumes that SSSD is correctly configured and example."
3239
"com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
3240
"This examples shows only the simple access provider-specific options."
3243
#. type: Content of: <reference><refentry><refsect1><para><programlisting>
3244
#: sssd-simple.5.xml:135
3247
" [domain/example.com]\n"
3248
" access_provider = simple\n"
3249
" simple_allow_users = user1, user2\n"
3252
#. type: Content of: <reference><refentry><refsect1><para>
3253
#: sssd-simple.5.xml:145
3255
"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
3256
"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd</"
3257
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>"
3260
#. type: Content of: <reference><refentry><refnamediv><refname>
3261
#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16
3265
#. type: Content of: <reference><refentry><refsect1><para>
3266
#: sssd-ipa.5.xml:23
3268
"This manual page describes the configuration of the IPA provider for "
3269
"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
3270
"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE "
3271
"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</"
3272
"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page."
3275
#. type: Content of: <reference><refentry><refsect1><para>
3276
#: sssd-ipa.5.xml:36
3278
"The IPA provider is a back end used to connect to an IPA server. (Refer to "
3279
"the freeipa.org web site for information about IPA servers.) This provider "
3280
"requires that the machine be joined to the IPA domain; configuration is "
3281
"almost entirely self-discovered and obtained directly from the server."
3284
#. type: Content of: <reference><refentry><refsect1><para>
3285
#: sssd-ipa.5.xml:43
3287
"The IPA provider accepts the same options used by the <citerefentry> "
3288
"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
3289
"citerefentry> identity provider and the <citerefentry> <refentrytitle>sssd-"
3290
"krb5</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> authentication "
3291
"provider. However, it is neither necessary nor recommended to set these "
3292
"options. IPA provider can also be used as an access and chpass provider. As "
3293
"an access provider it uses HBAC (host-based access control) rules. Please "
3294
"refer to freeipa.org for more information about HBAC. No configuration of "
3295
"access provider is required on the client side."
3298
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
3299
#: sssd-ipa.5.xml:69
3300
msgid "ipa_domain (string)"
3303
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3304
#: sssd-ipa.5.xml:72
3306
"Specifies the name of the IPA domain. This is optional. If not provided, "
3307
"the configuration domain name is used."
3310
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
3311
#: sssd-ipa.5.xml:80
3312
msgid "ipa_server (string)"
3315
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3316
#: sssd-ipa.5.xml:83
3318
"The list of IP addresses or hostnames of the IPA servers to which SSSD "
3319
"should connect in the order of preference. For more information on failover "
3320
"and server redundancy, see the <quote>FAILOVER</quote> section. This is "
3321
"optional if autodiscovery is enabled. For more information on service "
3322
"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
3325
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
3326
#: sssd-ipa.5.xml:96
3327
msgid "ipa_hostname (string)"
3330
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3331
#: sssd-ipa.5.xml:99
3333
"Optional. May be set on machines where the hostname(5) does not reflect the "
3334
"fully qualified name used in the IPA domain to identify this host."
3337
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
3338
#: sssd-ipa.5.xml:107
3339
msgid "ipa_dyndns_update (boolean)"
3342
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3343
#: sssd-ipa.5.xml:110
3345
"Optional. This option tells SSSD to automatically update the DNS server "
3346
"built into FreeIPA v2 with the IP address of this client."
3349
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
3350
#: sssd-ipa.5.xml:121
3351
msgid "ipa_dyndns_iface (string)"
3354
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3355
#: sssd-ipa.5.xml:124
3357
"Optional. Applicable only when ipa_dyndns_update is true. Choose the "
3358
"interface whose IP address should be used for dynamic DNS updates."
3361
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3362
#: sssd-ipa.5.xml:129
3363
msgid "Default: Use the IP address of the IPA LDAP connection"
3366
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
3367
#: sssd-ipa.5.xml:135
3368
msgid "ipa_hbac_search_base (string)"
3371
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3372
#: sssd-ipa.5.xml:138
3373
msgid "Optional. Use the given string as search base for HBAC related objects."
3376
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3377
#: sssd-ipa.5.xml:142
3378
msgid "Default: Use base DN"
3381
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
3382
#: sssd-ipa.5.xml:148 sssd-krb5.5.xml:229
3383
msgid "krb5_validate (boolean)"
3386
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3387
#: sssd-ipa.5.xml:151 sssd-krb5.5.xml:232
3389
"Verify with the help of krb5_keytab that the TGT obtained has not been "
3393
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3394
#: sssd-ipa.5.xml:158
3396
"Note that this default differs from the traditional Kerberos provider back "
3400
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3401
#: sssd-ipa.5.xml:168
3403
"The name of the Kerberos realm. This is optional and defaults to the value "
3404
"of <quote>ipa_domain</quote>."
3407
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3408
#: sssd-ipa.5.xml:172
3410
"The name of the Kerberos realm has a special meaning in IPA - it is "
3411
"converted into the base DN to use for performing LDAP operations."
3414
#. type: Content of: <reference><refentry><refsect1><para>
3415
#: sssd-ipa.5.xml:190
3417
"The following example assumes that SSSD is correctly configured and example."
3418
"com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
3419
"This examples shows only the ipa provider-specific options."
3422
#. type: Content of: <reference><refentry><refsect1><para><programlisting>
3423
#: sssd-ipa.5.xml:197
3426
" [domain/example.com]\n"
3427
" id_provider = ipa\n"
3428
" ipa_server = ipaserver.example.com\n"
3429
" ipa_hostname = myhost.example.com\n"
3432
#. type: Content of: <reference><refentry><refsect1><para>
3433
#: sssd-ipa.5.xml:208
3435
"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
3436
"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
3437
"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
3438
"<refentrytitle>sssd-krb5</refentrytitle><manvolnum>5</manvolnum> </"
3439
"citerefentry>, <citerefentry> <refentrytitle>sssd</"
3440
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>"
3443
#. type: Content of: <reference><refentry><refnamediv><refname>
3444
#: sssd.8.xml:10 sssd.8.xml:15
3448
#. type: Content of: <reference><refentry><refnamediv><refpurpose>
3450
msgid "System Security Services Daemon"
3453
#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
3456
"<command>sssd</command> <arg choice='opt'> <replaceable>options</"
3457
"replaceable> </arg>"
3460
#. type: Content of: <reference><refentry><refsect1><para>
3463
"<command>SSSD</command> provides a set of daemons to manage access to remote "
3464
"directories and authentication mechanisms. It provides an NSS and PAM "
3465
"interface toward the system and a pluggable backend system to connect to "
3466
"multiple different account sources as well as D-Bus interface. It is also "
3467
"the basis to provide client auditing and policy services for projects like "
3468
"FreeIPA. It provides a more robust database to store local users as well as "
3469
"extended user data."
3472
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3475
"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</"
3479
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3482
"Debug level to run the daemon with. 0 is the default as well as the lowest "
3483
"allowed value, 10 is the most verbose mode. This setting overrides the "
3484
"settings from config file. This parameter implies <option>-i</option>."
3487
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3489
msgid "<option>-f</option>,<option>--debug-to-files</option>"
3492
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3495
"Send the debug output to files instead of stderr. By default, the log files "
3496
"are stored in <filename>/var/log/sssd</filename> and there are separate log "
3497
"files for every SSSD service and domain."
3500
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3502
msgid "<option>-D</option>,<option>--daemon</option>"
3505
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3507
msgid "Become a daemon after starting up."
3510
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3512
msgid "<option>-i</option>,<option>--interactive</option>"
3515
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3517
msgid "Run in the foreground, don't become a daemon."
3520
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3522
msgid "<option>-c</option>,<option>--config</option>"
3525
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3528
"Specify a non-default config file. The default is <filename>/etc/sssd/sssd."
3529
"conf</filename>. For reference on the config file syntax and options, "
3530
"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> "
3531
"<manvolnum>5</manvolnum> </citerefentry> manual page."
3534
#. type: Content of: <reference><refentry><refsect1><title>
3539
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3541
msgid "SIGTERM/SIGINT"
3544
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3547
"Informs the SSSD to gracefully terminate all of its child processes and then "
3548
"shut down the monitor."
3551
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3556
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3559
"Tells the SSSD to stop writing to its current debug file descriptors and to "
3560
"close and reopen them. This is meant to facilitate log rolling with programs "
3564
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3569
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3572
"Tells the SSSD to simulate offline operation for one minute. This is mostly "
3573
"useful for testing purposes."
3576
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3581
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3584
"Tells the SSSD to go online immediately. This is mostly useful for testing "
3588
#. type: Content of: <reference><refentry><refsect1><para>
3591
"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
3592
"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupadd</"
3593
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
3594
"<refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</manvolnum> </"
3595
"citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</"
3596
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
3597
"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </"
3598
"citerefentry>, <citerefentry> <refentrytitle>sss_userdel</"
3599
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
3600
"<refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum> </"
3604
#. type: Content of: <reference><refentry><refnamediv><refname>
3605
#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15
3606
msgid "sss_obfuscate"
3609
#. type: Content of: <reference><refentry><refnamediv><refpurpose>
3610
#: sss_obfuscate.8.xml:16
3611
msgid "obfuscate a clear text password"
3614
#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
3615
#: sss_obfuscate.8.xml:21
3617
"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</"
3618
"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</"
3619
"replaceable></arg>"
3622
#. type: Content of: <reference><refentry><refsect1><para>
3623
#: sss_obfuscate.8.xml:32
3625
"<command>sss_obfuscate</command> converts a given password into human-"
3626
"unreadable format and places it into appropriate domain section of the SSSD "
3630
#. type: Content of: <reference><refentry><refsect1><para>
3631
#: sss_obfuscate.8.xml:37
3633
"The cleartext password is read from standard input or entered "
3634
"interactively. The obfuscated password is put into "
3635
"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the "
3636
"<quote>ldap_default_authtok_type</quote> parameter is set to "
3637
"<quote>obfuscated_password</quote>. Refer to <citerefentry> "
3638
"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
3639
"citerefentry> for more details on these parameters."
3642
#. type: Content of: <reference><refentry><refsect1><para>
3643
#: sss_obfuscate.8.xml:49
3645
"Please note that obfuscating the password provides <emphasis>no real "
3646
"security benefit</emphasis> as it is still possible for an attacker to "
3647
"reverse-engineer the password back. Using better authentication mechanisms "
3648
"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> "
3652
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3653
#: sss_obfuscate.8.xml:63
3654
msgid "<option>-s</option>,<option>--stdin</option>"
3657
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3658
#: sss_obfuscate.8.xml:67
3659
msgid "The password to obfuscate will be read from standard input."
3662
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3663
#: sss_obfuscate.8.xml:74
3665
"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</"
3669
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3670
#: sss_obfuscate.8.xml:79
3672
"The SSSD domain to use the password in. The default name is <quote>default</"
3676
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3677
#: sss_obfuscate.8.xml:86
3679
"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>"
3682
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3683
#: sss_obfuscate.8.xml:91
3684
msgid "Read the config file specified by the positional parameter."
3687
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3688
#: sss_obfuscate.8.xml:95
3689
msgid "Default: <filename>/etc/sssd/sssd.conf</filename>"
3692
#. type: Content of: <reference><refentry><refsect1><para>
3693
#: sss_obfuscate.8.xml:105
3695
"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
3696
"manvolnum> </citerefentry>"
3699
#. type: Content of: <reference><refentry><refnamediv><refname>
3700
#: sss_useradd.8.xml:10 sss_useradd.8.xml:15
3704
#. type: Content of: <reference><refentry><refnamediv><refpurpose>
3705
#: sss_useradd.8.xml:16
3706
msgid "create a new user"
3709
#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
3710
#: sss_useradd.8.xml:21
3712
"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</"
3713
"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></"
3717
#. type: Content of: <reference><refentry><refsect1><para>
3718
#: sss_useradd.8.xml:32
3720
"<command>sss_useradd</command> creates a new user account using the values "
3721
"specified on the command line plus the default values from the system."
3724
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3725
#: sss_useradd.8.xml:43
3727
"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>"
3730
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3731
#: sss_useradd.8.xml:48
3733
"Set the UID of the user to the value of <replaceable>UID</replaceable>. If "
3734
"not given, it is chosen automatically."
3737
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3738
#: sss_useradd.8.xml:55 sss_usermod.8.xml:43
3740
"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</"
3744
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3745
#: sss_useradd.8.xml:60 sss_usermod.8.xml:48
3747
"Any text string describing the user. Often used as the field for the user's "
3751
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3752
#: sss_useradd.8.xml:67 sss_usermod.8.xml:55
3754
"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</"
3758
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3759
#: sss_useradd.8.xml:72
3761
"The home directory of the user account. The default is to append the "
3762
"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use "
3763
"that as the home directory. The base that is prepended before "
3764
"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/"
3765
"baseDirectory</quote> setting in sssd.conf."
3768
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3769
#: sss_useradd.8.xml:82 sss_usermod.8.xml:66
3771
"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>"
3774
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3775
#: sss_useradd.8.xml:87
3777
"The user's login shell. The default is currently <filename>/bin/bash</"
3778
"filename>. The default can be changed with <quote>user_defaults/"
3779
"defaultShell</quote> setting in sssd.conf."
3782
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3783
#: sss_useradd.8.xml:96
3785
"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</"
3789
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3790
#: sss_useradd.8.xml:101
3791
msgid "A list of existing groups this user is also a member of."
3794
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3795
#: sss_useradd.8.xml:107
3796
msgid "<option>-m</option>,<option>--create-home</option>"
3799
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3800
#: sss_useradd.8.xml:111
3802
"Create the user's home directory if it does not exist. The files and "
3803
"directories contained in the skeleton directory (which can be defined with "
3804
"the -k option or in the config file) will be copied to the home directory."
3807
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3808
#: sss_useradd.8.xml:121
3809
msgid "<option>-M</option>,<option>--no-create-home</option>"
3812
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3813
#: sss_useradd.8.xml:125
3815
"Do not create the user's home directory. Overrides configuration settings."
3818
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3819
#: sss_useradd.8.xml:132
3821
"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</"
3825
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3826
#: sss_useradd.8.xml:137
3828
"The skeleton directory, which contains files and directories to be copied in "
3829
"the user's home directory, when the home directory is created by "
3830
"<command>sss_useradd</command>."
3833
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3834
#: sss_useradd.8.xml:143
3836
"This option is only valid if the <option>-m</option> (or <option>--create-"
3837
"home</option>) option is specified, or creation of home directories is set "
3838
"to TRUE in the configuration."
3841
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3842
#: sss_useradd.8.xml:152 sss_usermod.8.xml:124
3844
"<option>-Z</option>,<option>--selinux-user</option> "
3845
"<replaceable>SELINUX_USER</replaceable>"
3848
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3849
#: sss_useradd.8.xml:157
3851
"The SELinux user for the user's login. If not specified, the system default "
3855
#. type: Content of: <reference><refentry><refsect1><para>
3856
#: sss_useradd.8.xml:169
3858
"<citerefentry> <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</"
3859
"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</"
3860
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
3861
"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </"
3862
"citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</"
3863
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
3864
"<refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> </"
3865
"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
3866
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
3869
#. type: Content of: <reference><refentry><refnamediv><refname>
3870
#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16
3874
#. type: Content of: <reference><refentry><refsect1><para>
3875
#: sssd-krb5.5.xml:23
3877
"This manual page describes the configuration of the Kerberos 5 "
3878
"authentication backend for <citerefentry> <refentrytitle>sssd</"
3879
"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed "
3880
"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of "
3881
"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
3882
"manvolnum> </citerefentry> manual page"
3885
#. type: Content of: <reference><refentry><refsect1><para>
3886
#: sssd-krb5.5.xml:36
3888
"The Kerberos 5 authentication backend contains auth and chpass providers. It "
3889
"must be paired with identity provider in order to function properly (for "
3890
"example, id_provider = ldap). Some information required by the Kerberos 5 "
3891
"authentication backend must be provided by the identity provider, such as "
3892
"the user's Kerberos Principal Name (UPN). The configuration of the identity "
3893
"provider should have an entry to specify the UPN. Please refer to the man "
3894
"page for the applicable identity provider for details on how to configure "
3898
#. type: Content of: <reference><refentry><refsect1><para>
3899
#: sssd-krb5.5.xml:47
3901
"This backend also provides access control based on the .k5login file in the "
3902
"home directory of the user. See <citerefentry> <refentrytitle>.k5login</"
3903
"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. "
3904
"Please note that an empty .k5login file will deny all access to this user. "
3905
"To activate this feature use 'access_provider = krb5' in your sssd "
3909
#. type: Content of: <reference><refentry><refsect1><para>
3910
#: sssd-krb5.5.xml:55
3912
"In the case where the UPN is not available in the identity backend "
3913
"<command>sssd</command> will construct a UPN using the format "
3914
"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>."
3917
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3918
#: sssd-krb5.5.xml:106
3920
"The name of the Kerberos realm. This option is required and must be "
3924
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
3925
#: sssd-krb5.5.xml:113
3926
msgid "krb5_kpasswd (string)"
3929
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3930
#: sssd-krb5.5.xml:116
3932
"If the change password service is not running on the KDC alternative servers "
3933
"can be defined here. An optional port number (preceded by a colon) may be "
3934
"appended to the addresses or hostnames."
3937
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3938
#: sssd-krb5.5.xml:122
3940
"For more information on failover and server redundancy, see the "
3941
"<quote>FAILOVER</quote> section. Please note that even if there are no more "
3942
"kpasswd servers to try the back end is not switch to offline if "
3943
"authentication against the KDC is still possible."
3946
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3947
#: sssd-krb5.5.xml:129
3948
msgid "Default: Use the KDC"
3951
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
3952
#: sssd-krb5.5.xml:135
3953
msgid "krb5_ccachedir (string)"
3956
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3957
#: sssd-krb5.5.xml:138
3959
"Directory to store credential caches. All the substitution sequences of "
3960
"krb5_ccname_template can be used here, too, except %d and %P. If the "
3961
"directory does not exist it will be created. If %u, %U, %p or %h are used a "
3962
"private directory belonging to the user is created. Otherwise a public "
3963
"directory with restricted deletion flag (aka sticky bit, see <citerefentry> "
3964
"<refentrytitle>chmod</refentrytitle> <manvolnum>1</manvolnum> </"
3965
"citerefentry> for details) is created."
3968
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3969
#: sssd-krb5.5.xml:151
3970
msgid "Default: /tmp"
3973
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
3974
#: sssd-krb5.5.xml:157
3975
msgid "krb5_ccname_template (string)"
3978
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
3979
#: sssd-krb5.5.xml:166
3983
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
3984
#: sssd-krb5.5.xml:167
3988
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
3989
#: sssd-krb5.5.xml:170
3993
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
3994
#: sssd-krb5.5.xml:171
3998
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
3999
#: sssd-krb5.5.xml:174
4003
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
4004
#: sssd-krb5.5.xml:175
4005
msgid "principal name"
4008
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
4009
#: sssd-krb5.5.xml:179
4013
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
4014
#: sssd-krb5.5.xml:180
4018
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
4019
#: sssd-krb5.5.xml:183
4023
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
4024
#: sssd-krb5.5.xml:184
4025
msgid "home directory"
4028
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
4029
#: sssd-krb5.5.xml:188
4033
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
4034
#: sssd-krb5.5.xml:189
4035
msgid "value of krb5ccache_dir"
4038
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
4039
#: sssd-krb5.5.xml:194
4043
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
4044
#: sssd-krb5.5.xml:195
4045
msgid "the process ID of the sssd client"
4048
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
4049
#: sssd-krb5.5.xml:200
4053
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
4054
#: sssd-krb5.5.xml:201
4055
msgid "a literal '%'"
4058
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4059
#: sssd-krb5.5.xml:160
4061
"Location of the user's credential cache. Currently only file based "
4062
"credential caches are supported. In the template the following sequences are "
4063
"substituted: <placeholder type=\"variablelist\" id=\"0\"/> If the template "
4064
"ends with 'XXXXXX' mkstemp(3) is used to create a unique filename in a safe "
4068
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4069
#: sssd-krb5.5.xml:209
4070
msgid "Default: FILE:%d/krb5cc_%U_XXXXXX"
4073
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
4074
#: sssd-krb5.5.xml:215
4075
msgid "krb5_auth_timeout (integer)"
4078
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4079
#: sssd-krb5.5.xml:218
4081
"Timeout in seconds after an online authentication or change password request "
4082
"is aborted. If possible the authentication request is continued offline."
4085
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
4086
#: sssd-krb5.5.xml:241
4087
msgid "krb5_keytab (string)"
4090
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4091
#: sssd-krb5.5.xml:244
4093
"The location of the keytab to use when validating credentials obtained from "
4097
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4098
#: sssd-krb5.5.xml:248
4099
msgid "Default: /etc/krb5.keytab"
4102
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
4103
#: sssd-krb5.5.xml:254
4104
msgid "krb5_store_password_if_offline (boolean)"
4107
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4108
#: sssd-krb5.5.xml:257
4110
"Store the password of the user if the provider is offline and use it to "
4111
"request a TGT when the provider gets online again."
4114
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4115
#: sssd-krb5.5.xml:262
4117
"Please note that this feature currently only available on a Linux platform."
4120
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
4121
#: sssd-krb5.5.xml:272
4122
msgid "krb5_renewable_lifetime (string)"
4125
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4126
#: sssd-krb5.5.xml:275
4128
"Request a renewable ticket with a total lifetime given by an integer "
4129
"immediately followed by one of the following delimiters:"
4132
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4133
#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
4134
msgid "<emphasis>s</emphasis> seconds"
4137
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4138
#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
4139
msgid "<emphasis>m</emphasis> minutes"
4142
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4143
#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
4144
msgid "<emphasis>h</emphasis> hours"
4147
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4148
#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
4149
msgid "<emphasis>d</emphasis> days."
4152
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4153
#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
4154
msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
4157
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4158
#: sssd-krb5.5.xml:296
4160
"Please note that it is not possible to mix units. If you want to set the "
4161
"renewable lifetime to one and a half hours please use '90m' instead of "
4165
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4166
#: sssd-krb5.5.xml:302
4167
msgid "Default: not set, i.e. the TGT is not renewable"
4170
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
4171
#: sssd-krb5.5.xml:308
4172
msgid "krb5_lifetime (string)"
4175
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4176
#: sssd-krb5.5.xml:311
4178
"Request ticket with a with a lifetime given by an integer immediately "
4179
"followed by one of the following delimiters:"
4182
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4183
#: sssd-krb5.5.xml:332
4185
"Please note that it is not possible to mix units. If you want to set the "
4186
"lifetime to one and a half hours please use '90m' instead of '1h30m'."
4189
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4190
#: sssd-krb5.5.xml:337
4192
"Default: not set, i.e. the default ticket lifetime configured on the KDC."
4195
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
4196
#: sssd-krb5.5.xml:344
4197
msgid "krb5_renew_interval (integer)"
4200
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4201
#: sssd-krb5.5.xml:347
4203
"The time in seconds between two checks if the TGT should be renewed. TGTs "
4204
"are renewed if about half of their lifetime is exceeded."
4207
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4208
#: sssd-krb5.5.xml:352
4209
msgid "If this option is not set or 0 the automatic renewal is disabled."
4212
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
4213
#: sssd-krb5.5.xml:362
4214
msgid "krb5_use_fast (string)"
4217
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4218
#: sssd-krb5.5.xml:365
4220
"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
4221
"authentication. The following options are supported:"
4224
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4225
#: sssd-krb5.5.xml:370
4227
"<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
4231
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4232
#: sssd-krb5.5.xml:374
4234
"<emphasis>try</emphasis> to use FAST, if the server does not support fast "
4238
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4239
#: sssd-krb5.5.xml:378
4241
"<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
4245
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4246
#: sssd-krb5.5.xml:382
4247
msgid "Default: not set, i.e. FAST is not used."
4250
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4251
#: sssd-krb5.5.xml:385
4252
msgid "Please note that a keytab is required to use fast."
4255
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4256
#: sssd-krb5.5.xml:388
4258
"Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
4259
"and above. If sssd used used with an older version using this option is a "
4260
"configuration error."
4263
#. type: Content of: <reference><refentry><refsect1><para>
4264
#: sssd-krb5.5.xml:65
4266
"If the auth-module krb5 is used in a SSSD domain, the following options must "
4267
"be used. See the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> "
4268
"<manvolnum>5</manvolnum> </citerefentry> manual page, section <quote>DOMAIN "
4269
"SECTIONS</quote> for details on the configuration of a SSSD domain. "
4270
"<placeholder type=\"variablelist\" id=\"0\"/>"
4273
#. type: Content of: <reference><refentry><refsect1><para>
4274
#: sssd-krb5.5.xml:407
4276
"The following example assumes that SSSD is correctly configured and FOO is "
4277
"one of the domains in the <replaceable>[sssd]</replaceable> section. This "
4278
"example shows only configuration of Kerberos authentication, it does not "
4279
"include any identity provider."
4282
#. type: Content of: <reference><refentry><refsect1><para><programlisting>
4283
#: sssd-krb5.5.xml:415
4287
" auth_provider = krb5\n"
4288
" krb5_server = 192.168.1.1\n"
4289
" krb5_realm = EXAMPLE.COM\n"
4292
#. type: Content of: <reference><refentry><refsect1><para>
4293
#: sssd-krb5.5.xml:426
4295
"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
4296
"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
4297
"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
4298
"<refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </citerefentry>"
4301
#. type: Content of: <reference><refentry><refnamediv><refname>
4302
#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15
4303
msgid "sss_groupadd"
4306
#. type: Content of: <reference><refentry><refnamediv><refpurpose>
4307
#: sss_groupadd.8.xml:16
4308
msgid "create a new group"
4311
#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
4312
#: sss_groupadd.8.xml:21
4314
"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</"
4315
"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></"
4319
#. type: Content of: <reference><refentry><refsect1><para>
4320
#: sss_groupadd.8.xml:32
4322
"<command>sss_groupadd</command> creates a new group. These groups are "
4323
"compatible with POSIX groups, with the additional feature that they can "
4324
"contain other groups as members."
4327
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
4328
#: sss_groupadd.8.xml:43
4330
"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>"
4333
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
4334
#: sss_groupadd.8.xml:48
4336
"Set the GID of the group to the value of <replaceable>GID</replaceable>. If "
4337
"not given, it is chosen automatically."
4340
#. type: Content of: <reference><refentry><refsect1><para>
4341
#: sss_groupadd.8.xml:60
4343
"<citerefentry> <refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</"
4344
"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</"
4345
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
4346
"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </"
4347
"citerefentry>, <citerefentry> <refentrytitle>sss_useradd</"
4348
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
4349
"<refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> </"
4350
"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
4351
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
4354
#. type: Content of: <reference><refentry><refnamediv><refname>
4355
#: sss_userdel.8.xml:10 sss_userdel.8.xml:15
4359
#. type: Content of: <reference><refentry><refnamediv><refpurpose>
4360
#: sss_userdel.8.xml:16
4361
msgid "delete a user account"
4364
#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
4365
#: sss_userdel.8.xml:21
4367
"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</"
4368
"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></"
4372
#. type: Content of: <reference><refentry><refsect1><para>
4373
#: sss_userdel.8.xml:32
4375
"<command>sss_userdel</command> deletes a user identified by login name "
4376
"<replaceable>LOGIN</replaceable> from the system."
4379
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
4380
#: sss_userdel.8.xml:44
4381
msgid "<option>-r</option>,<option>--remove</option>"
4384
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
4385
#: sss_userdel.8.xml:48
4387
"Files in the user's home directory will be removed along with the home "
4388
"directory itself and the user's mail spool. Overrides the configuration."
4391
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
4392
#: sss_userdel.8.xml:56
4393
msgid "<option>-R</option>,<option>--no-remove</option>"
4396
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
4397
#: sss_userdel.8.xml:60
4399
"Files in the user's home directory will NOT be removed along with the home "
4400
"directory itself and the user's mail spool. Overrides the configuration."
4403
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
4404
#: sss_userdel.8.xml:68
4405
msgid "<option>-f</option>,<option>--force</option>"
4408
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
4409
#: sss_userdel.8.xml:72
4411
"This option forces <command>sss_userdel</command> to remove the user's home "
4412
"directory and mail spool, even if they are not owned by the specified user."
4415
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
4416
#: sss_userdel.8.xml:80
4417
msgid "<option>-k</option>,<option>--kick</option>"
4420
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
4421
#: sss_userdel.8.xml:84
4422
msgid "Before actually deleting the user, terminate all his processes."
4425
#. type: Content of: <reference><refentry><refsect1><para>
4426
#: sss_userdel.8.xml:95
4428
"<citerefentry> <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</"
4429
"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</"
4430
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
4431
"<refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum> </"
4432
"citerefentry>, <citerefentry> <refentrytitle>sss_groupshow</"
4433
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
4434
"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </"
4435
"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
4436
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
4439
#. type: Content of: <reference><refentry><refnamediv><refname>
4440
#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15
4441
msgid "sss_groupdel"
4444
#. type: Content of: <reference><refentry><refnamediv><refpurpose>
4445
#: sss_groupdel.8.xml:16
4446
msgid "delete a group"
4449
#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
4450
#: sss_groupdel.8.xml:21
4452
"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</"
4453
"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></"
4457
#. type: Content of: <reference><refentry><refsect1><para>
4458
#: sss_groupdel.8.xml:32
4460
"<command>sss_groupdel</command> deletes a group identified by its name "
4461
"<replaceable>GROUP</replaceable> from the system."
4464
#. type: Content of: <reference><refentry><refsect1><para>
4465
#: sss_groupdel.8.xml:48
4467
"<citerefentry> <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</"
4468
"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</"
4469
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
4470
"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </"
4471
"citerefentry>, <citerefentry> <refentrytitle>sss_useradd</"
4472
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
4473
"<refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> </"
4474
"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
4475
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
4478
#. type: Content of: <reference><refentry><refnamediv><refname>
4479
#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15
4480
msgid "sss_groupshow"
4483
#. type: Content of: <reference><refentry><refnamediv><refpurpose>
4484
#: sss_groupshow.8.xml:16
4485
msgid "print properties of a group"
4488
#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
4489
#: sss_groupshow.8.xml:21
4491
"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</"
4492
"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></"
4496
#. type: Content of: <reference><refentry><refsect1><para>
4497
#: sss_groupshow.8.xml:32
4499
"<command>sss_groupshow</command> displays information about a group "
4500
"identified by its name <replaceable>GROUP</replaceable>. The information "
4501
"includes the group ID number, members of the group and the parent group."
4504
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
4505
#: sss_groupshow.8.xml:43
4506
msgid "<option>-R</option>,<option>--recursive</option>"
4509
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
4510
#: sss_groupshow.8.xml:47
4512
"Also print indirect group members in a tree-like hierarchy. Note that this "
4513
"also affects printing parent groups - without <option>R</option>, only the "
4514
"direct parent will be printed."
4517
#. type: Content of: <reference><refentry><refsect1><para>
4518
#: sss_groupshow.8.xml:60
4520
"<citerefentry> <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</"
4521
"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</"
4522
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
4523
"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </"
4524
"citerefentry>, <citerefentry> <refentrytitle>sss_userdel</"
4525
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
4526
"<refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum> </"
4530
#. type: Content of: <reference><refentry><refnamediv><refname>
4531
#: sss_usermod.8.xml:10 sss_usermod.8.xml:15
4535
#. type: Content of: <reference><refentry><refnamediv><refpurpose>
4536
#: sss_usermod.8.xml:16
4537
msgid "modify a user account"
4540
#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
4541
#: sss_usermod.8.xml:21
4543
"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</"
4544
"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></"
4548
#. type: Content of: <reference><refentry><refsect1><para>
4549
#: sss_usermod.8.xml:32
4551
"<command>sss_usermod</command> modifies the account specified by "
4552
"<replaceable>LOGIN</replaceable> to reflect the changes that are specified "
4553
"on the command line."
4556
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
4557
#: sss_usermod.8.xml:60
4558
msgid "The home directory of the user account."
4561
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
4562
#: sss_usermod.8.xml:71
4563
msgid "The user's login shell."
4566
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
4567
#: sss_usermod.8.xml:82
4569
"Append this user to groups specified by the <replaceable>GROUPS</"
4570
"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is "
4571
"a comma separated list of group names."
4574
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
4575
#: sss_usermod.8.xml:96
4577
"Remove this user from groups specified by the <replaceable>GROUPS</"
4578
"replaceable> parameter."
4581
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
4582
#: sss_usermod.8.xml:103
4583
msgid "<option>-l</option>,<option>--lock</option>"
4586
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
4587
#: sss_usermod.8.xml:107
4588
msgid "Lock the user account. The user won't be able to log in."
4591
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
4592
#: sss_usermod.8.xml:114
4593
msgid "<option>-u</option>,<option>--unlock</option>"
4596
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
4597
#: sss_usermod.8.xml:118
4598
msgid "Unlock the user account."
4601
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
4602
#: sss_usermod.8.xml:129
4603
msgid "The SELinux user for the user's login."
4606
#. type: Content of: <reference><refentry><refsect1><para>
4607
#: sss_usermod.8.xml:140
4609
"<citerefentry> <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</"
4610
"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</"
4611
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
4612
"<refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum> </"
4613
"citerefentry>, <citerefentry> <refentrytitle>sss_groupshow</"
4614
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
4615
"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </"
4616
"citerefentry>, <citerefentry> <refentrytitle>sss_userdel</"
4617
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
4620
#. type: Content of: <refsect1><title>
4621
#: include/service_discovery.xml:2
4622
msgid "SERVICE DISCOVERY"
4625
#. type: Content of: <refsect1><para>
4626
#: include/service_discovery.xml:4
4628
"The service discovery feature allows back ends to automatically find the "
4629
"appropriate servers to connect to using a special DNS query."
4632
#. type: Content of: <refsect1><refsect2><title>
4633
#: include/service_discovery.xml:9
4634
msgid "Configuration"
4637
#. type: Content of: <refsect1><refsect2><para>
4638
#: include/service_discovery.xml:11
4640
"If no servers are specified, the back end automatically uses service "
4641
"discovery to try to find a server. Optionally, the user may choose to use "
4642
"both fixed server addresses and service discovery by inserting a special "
4643
"keyword, <quote>_srv_</quote>, in the list of servers. The order of "
4644
"preference is maintained. This feature is useful if, for example, the user "
4645
"prefers to use service discovery whenever possible, and fall back to a "
4646
"specific server when no servers can be discovered using DNS."
4649
#. type: Content of: <refsect1><refsect2><title>
4650
#: include/service_discovery.xml:23
4651
msgid "The domain name"
4654
#. type: Content of: <refsect1><refsect2><para>
4655
#: include/service_discovery.xml:25
4657
"Please refer to the <quote>dns_discovery_domain</quote> parameter in the "
4658
"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
4659
"manvolnum> </citerefentry> manual page for more details."
4662
#. type: Content of: <refsect1><refsect2><title>
4663
#: include/service_discovery.xml:35
4664
msgid "The protocol"
4667
#. type: Content of: <refsect1><refsect2><para>
4668
#: include/service_discovery.xml:37
4670
"The queries usually specify _tcp as the protocol. Exceptions are documented "
4671
"in respective option description."
4674
#. type: Content of: <refsect1><refsect2><title>
4675
#: include/service_discovery.xml:42
4679
#. type: Content of: <refsect1><refsect2><para>
4680
#: include/service_discovery.xml:44
4682
"For more information on the service discovery mechanism, refer to RFC 2782."
4685
#. type: Content of: outside any tag (error?)
4686
#: include/upstream.xml:1
4687
msgid "<placeholder type=\"refentryinfo\" id=\"0\"/>"
4690
#. type: Content of: <refsect1><title>
4691
#: include/failover.xml:2
4695
#. type: Content of: <refsect1><para>
4696
#: include/failover.xml:4
4698
"The failover feature allows back ends to automatically switch to a different "
4699
"server if the primary server fails."
4702
#. type: Content of: <refsect1><refsect2><title>
4703
#: include/failover.xml:8
4704
msgid "Failover Syntax"
4707
#. type: Content of: <refsect1><refsect2><para>
4708
#: include/failover.xml:10
4710
"The list of servers is given as a comma-separated list; any number of spaces "
4711
"is allowed around the comma. The servers are listed in order of preference. "
4712
"The list can contain any number of servers."
4715
#. type: Content of: <refsect1><refsect2><title>
4716
#: include/failover.xml:17
4717
msgid "The Failover Mechanism"
4720
#. type: Content of: <refsect1><refsect2><para>
4721
#: include/failover.xml:19
4723
"The failover mechanism distinguishes between a machine and a service. The "
4724
"back end first tries to resolve the hostname of a given machine; if this "
4725
"resolution attempt fails, the machine is considered offline. No further "
4726
"attempts are made to connect to this machine for any other service. If the "
4727
"resolution attempt succeeds, the back end tries to connect to a service on "
4728
"this machine. If the service connection attempt fails, then only this "
4729
"particular service is considered offline and the back end automatically "
4730
"switches over to the next service. The machine is still considered online "
4731
"and might still be tried for another service."
4734
#. type: Content of: <refsect1><refsect2><para>
4735
#: include/failover.xml:32
4737
"Further connection attempts are made to machines or services marked as "
4738
"offline after a specified period of time; this is currently hard coded to 30 "
4742
#. type: Content of: <refsect1><refsect2><para>
4743
#: include/failover.xml:37
4745
"If there are no more machines to try, the back end as a whole switches to "
4746
"offline mode, and then attempts to reconnect every 30 seconds."
4749
#. type: Content of: <varlistentry><term>
4750
#: include/param_help.xml:3
4751
msgid "<option>-h</option>,<option>--help</option>"
4754
#. type: Content of: <varlistentry><listitem><para>
4755
#: include/param_help.xml:7
4756
msgid "Display help message and exit."