1
# SOME DESCRIPTIVE TITLE
2
# Copyright (C) YEAR Red Hat
3
# This file is distributed under the same license as the sssd-docs package.
4
# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
8
"Project-Id-Version: SSSD\n"
9
"Report-Msgid-Bugs-To: sssd-devel@redhat.com\n"
10
"POT-Creation-Date: 2011-05-27 15:50-0300\n"
11
"PO-Revision-Date: 2011-03-10 00:18+0000\n"
12
"Last-Translator: sgallagh <sgallagh@redhat.com>\n"
13
"Language-Team: Polish <None>\n"
16
"Content-Type: text/plain; charset=UTF-8\n"
17
"Content-Transfer-Encoding: 8bit\n"
18
"Plural-Forms: nplurals=3; plural=(n==1 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 "
19
"|| n%100>=20) ? 1 : 2)\n"
21
#. type: Content of: <reference><title>
22
#: sss_groupmod.8.xml:5 sssd.conf.5.xml:5 sssd-ldap.5.xml:5 pam_sss.8.xml:5
23
#: sssd_krb5_locator_plugin.8.xml:5 sssd-simple.5.xml:5 sssd-ipa.5.xml:5
24
#: sssd.8.xml:5 sss_obfuscate.8.xml:5 sss_useradd.8.xml:5 sssd-krb5.5.xml:5
25
#: sss_groupadd.8.xml:5 sss_userdel.8.xml:5 sss_groupdel.8.xml:5
26
#: sss_groupshow.8.xml:5 sss_usermod.8.xml:5
27
msgid "SSSD Manual pages"
30
#. type: Content of: <reference><refentry><refnamediv><refname>
31
#: sss_groupmod.8.xml:10 sss_groupmod.8.xml:15
35
#. type: Content of: <reference><refentry><refmeta><manvolnum>
36
#: sss_groupmod.8.xml:11 pam_sss.8.xml:14 sssd_krb5_locator_plugin.8.xml:11
37
#: sssd.8.xml:11 sss_obfuscate.8.xml:11 sss_useradd.8.xml:11
38
#: sss_groupadd.8.xml:11 sss_userdel.8.xml:11 sss_groupdel.8.xml:11
39
#: sss_groupshow.8.xml:11 sss_usermod.8.xml:11
43
#. type: Content of: <reference><refentry><refnamediv><refpurpose>
44
#: sss_groupmod.8.xml:16
45
msgid "modify a group"
48
#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
49
#: sss_groupmod.8.xml:21
51
"<command>sss_groupmod</command> <arg choice='opt'> <replaceable>options</"
52
"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></"
56
#. type: Content of: <reference><refentry><refsect1><title>
57
#: sss_groupmod.8.xml:30 sssd-ldap.5.xml:21 pam_sss.8.xml:41
58
#: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sssd-ipa.5.xml:21
59
#: sssd.8.xml:29 sss_obfuscate.8.xml:30 sss_useradd.8.xml:30
60
#: sssd-krb5.5.xml:21 sss_groupadd.8.xml:30 sss_userdel.8.xml:30
61
#: sss_groupdel.8.xml:30 sss_groupshow.8.xml:30 sss_usermod.8.xml:30
65
#. type: Content of: <reference><refentry><refsect1><para>
66
#: sss_groupmod.8.xml:32
68
"<command>sss_groupmod</command> modifies the group to reflect the changes "
69
"that are specified on the command line."
72
#. type: Content of: <reference><refentry><refsect1><title>
73
#: sss_groupmod.8.xml:39 pam_sss.8.xml:48 sssd.8.xml:42 sss_obfuscate.8.xml:58
74
#: sss_useradd.8.xml:39 sss_groupadd.8.xml:39 sss_userdel.8.xml:39
75
#: sss_groupdel.8.xml:39 sss_groupshow.8.xml:39 sss_usermod.8.xml:39
79
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
80
#: sss_groupmod.8.xml:43 sss_usermod.8.xml:77
82
"<option>-a</option>,<option>--append-group</option> <replaceable>GROUPS</"
86
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
87
#: sss_groupmod.8.xml:48
89
"Append this group to groups specified by the <replaceable>GROUPS</"
90
"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is "
91
"a comma separated list of group names."
94
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
95
#: sss_groupmod.8.xml:57 sss_usermod.8.xml:91
97
"<option>-r</option>,<option>--remove-group</option> <replaceable>GROUPS</"
101
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
102
#: sss_groupmod.8.xml:62
104
"Remove this group from groups specified by the <replaceable>GROUPS</"
105
"replaceable> parameter."
108
#. type: Content of: <reference><refentry><refsect1><title>
109
#: sss_groupmod.8.xml:72 sssd.conf.5.xml:1008 sssd-ldap.5.xml:1418
110
#: pam_sss.8.xml:128 sssd_krb5_locator_plugin.8.xml:75 sssd-simple.5.xml:143
111
#: sssd-ipa.5.xml:206 sssd.8.xml:166 sss_obfuscate.8.xml:103
112
#: sss_useradd.8.xml:167 sssd-krb5.5.xml:424 sss_groupadd.8.xml:58
113
#: sss_userdel.8.xml:93 sss_groupdel.8.xml:46 sss_groupshow.8.xml:58
114
#: sss_usermod.8.xml:138
118
#. type: Content of: <reference><refentry><refsect1><para>
119
#: sss_groupmod.8.xml:74
121
"<citerefentry> <refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</"
122
"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupadd</"
123
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
124
"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </"
125
"citerefentry>, <citerefentry> <refentrytitle>sss_useradd</"
126
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
127
"<refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> </"
128
"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
129
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
132
#. type: Content of: <reference><refentry><refnamediv><refname>
133
#: sssd.conf.5.xml:10 sssd.conf.5.xml:16
137
#. type: Content of: <reference><refentry><refmeta><manvolnum>
138
#: sssd.conf.5.xml:11 sssd-ldap.5.xml:11 sssd-simple.5.xml:11
139
#: sssd-ipa.5.xml:11 sssd-krb5.5.xml:11
143
#. type: Content of: <reference><refentry><refmeta><refmiscinfo>
144
#: sssd.conf.5.xml:12 sssd-ldap.5.xml:12 sssd-simple.5.xml:12
145
#: sssd-ipa.5.xml:12 sssd-krb5.5.xml:12
146
msgid "File Formats and Conventions"
149
#. type: Content of: <reference><refentry><refnamediv><refpurpose>
150
#: sssd.conf.5.xml:17 sssd-ldap.5.xml:17 sssd_krb5_locator_plugin.8.xml:16
151
#: sssd-ipa.5.xml:17 sssd-krb5.5.xml:17
152
msgid "the configuration file for SSSD"
155
#. type: Content of: <reference><refentry><refsect1><title>
156
#: sssd.conf.5.xml:21
160
#. type: Content of: <reference><refentry><refsect1><para><programlisting>
161
#: sssd.conf.5.xml:29
164
" <replaceable>[section]</replaceable>\n"
165
" <replaceable>key</replaceable> = <replaceable>value</replaceable>\n"
166
" <replaceable>key2</replaceable> = <replaceable>value2,value3</replaceable>\n"
170
#. type: Content of: <reference><refentry><refsect1><para>
171
#: sssd.conf.5.xml:24
173
"The file has an ini-style syntax and consists of sections and parameters. A "
174
"section begins with the name of the section in square brackets and continues "
175
"until the next section begins. An example of section with single and multi-"
176
"valued parameters: <placeholder type=\"programlisting\" id=\"0\"/>"
179
#. type: Content of: <reference><refentry><refsect1><para>
180
#: sssd.conf.5.xml:36
182
"The data types used are string (no quotes needed), integer and bool (with "
183
"values of <quote>TRUE/FALSE</quote>)."
186
#. type: Content of: <reference><refentry><refsect1><para>
187
#: sssd.conf.5.xml:41
189
"A line comment starts with a hash sign (<quote>#</quote>) or a semicolon "
193
#. type: Content of: <reference><refentry><refsect1><para>
194
#: sssd.conf.5.xml:46
196
"All sections can have an optional <replaceable>description</replaceable> "
197
"parameter. Its function is only as a label for the section."
200
#. type: Content of: <reference><refentry><refsect1><para>
201
#: sssd.conf.5.xml:52
203
"<filename>sssd.conf</filename> must be a regular file, owned by root and "
204
"only root may read from or write to the file."
207
#. type: Content of: <reference><refentry><refsect1><title>
208
#: sssd.conf.5.xml:58
209
msgid "SPECIAL SECTIONS"
212
#. type: Content of: <reference><refentry><refsect1><refsect2><title>
213
#: sssd.conf.5.xml:61
214
msgid "The [sssd] section"
217
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title>
218
#: sssd.conf.5.xml:70 sssd.conf.5.xml:854
219
msgid "Section parameters"
222
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
223
#: sssd.conf.5.xml:72
224
msgid "config_file_version (integer)"
227
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
228
#: sssd.conf.5.xml:75
230
"Indicates what is the syntax of the config file. SSSD 0.6.0 and later use "
234
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
235
#: sssd.conf.5.xml:81
239
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
240
#: sssd.conf.5.xml:84
242
"Comma separated list of services that are started when sssd itself starts."
245
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
246
#: sssd.conf.5.xml:88
247
msgid "Supported services: nss, pam"
250
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
251
#: sssd.conf.5.xml:93 sssd.conf.5.xml:234
252
msgid "reconnection_retries (integer)"
255
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
256
#: sssd.conf.5.xml:96 sssd.conf.5.xml:237
258
"Number of times services should attempt to reconnect in the event of a Data "
259
"Provider crash or restart before they give up"
262
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
263
#: sssd.conf.5.xml:101 sssd.conf.5.xml:242
267
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
268
#: sssd.conf.5.xml:106
272
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
273
#: sssd.conf.5.xml:109
275
"A domain is a database containing user information. SSSD can use more "
276
"domains at the same time, but at least one must be configured or SSSD won't "
277
"start. This parameter described the list of domains in the order you want "
278
"them to be queried."
281
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
282
#: sssd.conf.5.xml:119
283
msgid "re_expression (string)"
286
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
287
#: sssd.conf.5.xml:122
289
"Regular expression that describes how to parse the string containing user "
290
"name and domain into these components."
293
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
294
#: sssd.conf.5.xml:126
296
"Default: <quote>(?P<name>[^@]+)@?(?P<domain>[^@]*$)</quote> "
297
"which translates to \"the name is everything up to the <quote>@</quote> "
298
"sign, the domain everything after that\""
301
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
302
#: sssd.conf.5.xml:131
304
"PLEASE NOTE: the support for non-unique named subpatterns is not available "
305
"on all platforms (e.g. RHEL5 and SLES10). Only platforms with libpcre "
306
"version 7 or higher can support non-unique named subpatterns."
309
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
310
#: sssd.conf.5.xml:138
312
"PLEASE NOTE ALSO: older version of libpcre only support the Python syntax (?"
313
"P<name>) to label subpatterns."
316
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
317
#: sssd.conf.5.xml:145
318
msgid "full_name_format (string)"
321
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
322
#: sssd.conf.5.xml:148
324
"A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</"
325
"manvolnum> </citerefentry>-compatible format that describes how to translate "
326
"a (name, domain) tuple into a fully qualified name."
329
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
330
#: sssd.conf.5.xml:156
331
msgid "Default: <quote>%1$s@%2$s</quote>."
334
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term>
335
#: sssd.conf.5.xml:161
336
msgid "try_inotify (boolean)"
339
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
340
#: sssd.conf.5.xml:164
342
"SSSD monitors the state of resolv.conf to identify when it needs to update "
343
"its internal DNS resolver. By default, we will attempt to use inotify for "
344
"this, and will fall back to polling resolv.conf every five seconds if "
345
"inotify cannot be used."
348
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
349
#: sssd.conf.5.xml:172
351
"There are some limited situations where it is preferred that we should skip "
352
"even trying to use inotify. In these rare cases, this option should be set "
356
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
357
#: sssd.conf.5.xml:178
359
"Default: true on platforms where inotify is supported. False on other "
363
#. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para>
364
#: sssd.conf.5.xml:182
366
"Note: this option will have no effect on platforms where inotify is "
367
"unavailable. On these platforms, polling will always be used."
370
#. type: Content of: <reference><refentry><refsect1><refsect2><para>
371
#: sssd.conf.5.xml:63
373
"Individual pieces of SSSD functionality are provided by special SSSD "
374
"services that are started and stopped together with SSSD. The services are "
375
"managed by a special service frequently called <quote>monitor</quote>. The "
376
"<quote>[sssd]</quote> section is used to configure the monitor as well as "
377
"some other important options like the identity domains. <placeholder type="
378
"\"variablelist\" id=\"0\"/>"
381
#. type: Content of: <reference><refentry><refsect1><title>
382
#: sssd.conf.5.xml:195
383
msgid "SERVICES SECTIONS"
386
#. type: Content of: <reference><refentry><refsect1><para>
387
#: sssd.conf.5.xml:197
389
"Settings that can be used to configure different services are described in "
390
"this section. They should reside in the [<replaceable>$NAME</replaceable>] "
391
"section, for example, for NSS service, the section would be <quote>[nss]</"
395
#. type: Content of: <reference><refentry><refsect1><refsect2><title>
396
#: sssd.conf.5.xml:204
397
msgid "General service configuration options"
400
#. type: Content of: <reference><refentry><refsect1><refsect2><para>
401
#: sssd.conf.5.xml:206
402
msgid "These options can be used to configure any service."
405
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
406
#: sssd.conf.5.xml:210
407
msgid "debug_level (integer)"
410
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
411
#: sssd.conf.5.xml:213
413
"Sets the debug level for the service. The value can be in range from 0 (only "
414
"critical messages) to 10 (very verbose)."
417
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
418
#: sssd.conf.5.xml:218 sssd.conf.5.xml:312
422
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
423
#: sssd.conf.5.xml:223 sssd.8.xml:58
424
msgid "debug_timestamps (bool)"
427
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
428
#: sssd.conf.5.xml:226 sssd.8.xml:61
429
msgid "Add a timestamp to the debug messages"
432
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
433
#: sssd.conf.5.xml:229 sssd.conf.5.xml:353 sssd-ldap.5.xml:1044
434
#: sssd-ldap.5.xml:1149 sssd-ipa.5.xml:155
435
msgid "Default: true"
438
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
439
#: sssd.conf.5.xml:247
440
msgid "command (string)"
443
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
444
#: sssd.conf.5.xml:250
446
"By default, the executable representing this service is called <command>sssd_"
447
"${service_name}</command>. This directive allows to change the executable "
448
"name for the service. In the vast majority of configurations, the default "
449
"values should suffice."
452
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
453
#: sssd.conf.5.xml:258
454
msgid "Default: <command>sssd_${service_name}</command>"
457
#. type: Content of: <reference><refentry><refsect1><refsect2><title>
458
#: sssd.conf.5.xml:266
459
msgid "NSS configuration options"
462
#. type: Content of: <reference><refentry><refsect1><refsect2><para>
463
#: sssd.conf.5.xml:268
465
"These options can be used to configure the Name Service Switch (NSS) service."
468
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
469
#: sssd.conf.5.xml:273
470
msgid "enum_cache_timeout (integer)"
473
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
474
#: sssd.conf.5.xml:276
476
"How many seconds should nss_sss cache enumerations (requests for info about "
480
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
481
#: sssd.conf.5.xml:280
485
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
486
#: sssd.conf.5.xml:285
487
msgid "entry_cache_nowait_percentage (integer)"
490
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
491
#: sssd.conf.5.xml:288
493
"The entry cache can be set to automatically update entries in the background "
494
"if they are requested beyond a percentage of the entry_cache_timeout value "
498
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
499
#: sssd.conf.5.xml:294
501
"For example, if the domain's entry_cache_timeout is set to 30s and "
502
"entry_cache_nowait_percentage is set to 50 (percent), entries that come in "
503
"after 15 seconds past the last cache update will be returned immediately, "
504
"but the SSSD will go and update the cache on its own, so that future "
505
"requests will not need to block waiting for a cache update."
508
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
509
#: sssd.conf.5.xml:304
511
"Valid values for this option are 0-99 and represent a percentage of the "
512
"entry_cache_timeout for each domain. For performance reasons, this "
513
"percentage will never reduce the nowait timeout to less than 10 seconds. (0 "
514
"disables this feature)"
517
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
518
#: sssd.conf.5.xml:317
519
msgid "entry_negative_timeout (integer)"
522
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
523
#: sssd.conf.5.xml:320
525
"Specifies for how many seconds nss_sss should cache negative cache hits "
526
"(that is, queries for invalid database entries, like nonexistent ones) "
527
"before asking the back end again."
530
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
531
#: sssd.conf.5.xml:326 sssd-krb5.5.xml:223
535
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
536
#: sssd.conf.5.xml:331
537
msgid "filter_users, filter_groups (string)"
540
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
541
#: sssd.conf.5.xml:334
543
"Exclude certain users from being fetched from the sss NSS database. This is "
544
"particularly useful for system accounts. This option can also be set per-"
545
"domain or include fully-qualified names to filter only users from the "
549
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
550
#: sssd.conf.5.xml:341
551
msgid "Default: root"
554
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
555
#: sssd.conf.5.xml:346
556
msgid "filter_users_in_groups (bool)"
559
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
560
#: sssd.conf.5.xml:349
562
"If you want filtered user still be group members set this option to false."
565
#. type: Content of: <reference><refentry><refsect1><refsect2><title>
566
#: sssd.conf.5.xml:360
567
msgid "PAM configuration options"
570
#. type: Content of: <reference><refentry><refsect1><refsect2><para>
571
#: sssd.conf.5.xml:362
573
"These options can be used to configure the Pluggable Authentication Module "
577
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
578
#: sssd.conf.5.xml:367
579
msgid "offline_credentials_expiration (integer)"
582
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
583
#: sssd.conf.5.xml:370
585
"If the authentication provider is offline, how long should we allow cached "
586
"logins (in days since the last successful online login)."
589
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
590
#: sssd.conf.5.xml:375 sssd.conf.5.xml:388
591
msgid "Default: 0 (No limit)"
594
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
595
#: sssd.conf.5.xml:381
596
msgid "offline_failed_login_attempts (integer)"
599
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
600
#: sssd.conf.5.xml:384
602
"If the authentication provider is offline, how many failed login attempts "
606
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
607
#: sssd.conf.5.xml:394
608
msgid "offline_failed_login_delay (integer)"
611
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
612
#: sssd.conf.5.xml:397
614
"The time in minutes which has to pass after offline_failed_login_attempts "
615
"has been reached before a new login attempt is possible."
618
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
619
#: sssd.conf.5.xml:402
621
"If set to 0 the user cannot authenticate offline if "
622
"offline_failed_login_attempts has been reached. Only a successful online "
623
"authentication can enable enable offline authentication again."
626
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
627
#: sssd.conf.5.xml:408 sssd.conf.5.xml:461 sssd.conf.5.xml:793
631
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
632
#: sssd.conf.5.xml:414
633
msgid "pam_verbosity (integer)"
636
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
637
#: sssd.conf.5.xml:417
639
"Controls what kind of messages are shown to the user during authentication. "
640
"The higher the number to more messages are displayed."
643
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
644
#: sssd.conf.5.xml:422
645
msgid "Currently sssd supports the following values:"
648
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
649
#: sssd.conf.5.xml:425
650
msgid "<emphasis>0</emphasis>: do not show any message"
653
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
654
#: sssd.conf.5.xml:428
655
msgid "<emphasis>1</emphasis>: show only important messages"
658
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
659
#: sssd.conf.5.xml:432
660
msgid "<emphasis>2</emphasis>: show informational messages"
663
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
664
#: sssd.conf.5.xml:435
665
msgid "<emphasis>3</emphasis>: show all messages and debug information"
668
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
669
#: sssd.conf.5.xml:439
673
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
674
#: sssd.conf.5.xml:444
675
msgid "pam_id_timeout (integer)"
678
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
679
#: sssd.conf.5.xml:447
681
"For any PAM request while SSSD is online, the SSSD will attempt to "
682
"immediately update the cached identity information for the user in order to "
683
"ensure that authentication takes place with the latest information."
686
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
687
#: sssd.conf.5.xml:453
689
"A complete PAM conversation may perform multiple PAM requests, such as "
690
"account management and session opening. This option controls (on a per-"
691
"client-application basis) how long (in seconds) we can cache the identity "
692
"information to avoid excessive round-trips to the identity provider."
695
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
696
#: sssd.conf.5.xml:467
697
msgid "pam_pwd_expiration_warning (integer)"
700
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
701
#: sssd.conf.5.xml:470
702
msgid "Display a warning N days before the password expires."
705
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
706
#: sssd.conf.5.xml:473
708
"Please note that the backend server has to provide information about the "
709
"expiration time of the password. If this information is missing, sssd "
710
"cannot display a warning."
713
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
714
#: sssd.conf.5.xml:479
718
#. type: Content of: <reference><refentry><refsect1><title>
719
#: sssd.conf.5.xml:488
720
msgid "DOMAIN SECTIONS"
723
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
724
#: sssd.conf.5.xml:495
725
msgid "min_id,max_id (integer)"
728
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
729
#: sssd.conf.5.xml:498
731
"UID and GID limits for the domain. If a domain contains an entry that is "
732
"outside these limits, it is ignored."
735
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
736
#: sssd.conf.5.xml:503
738
"For users, this affects the primary GID limit. The user will not be returned "
739
"to NSS if either the UID or the primary GID is outside the range. For non-"
740
"primary group memberships, those that are in range will be reported as "
744
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
745
#: sssd.conf.5.xml:510
746
msgid "Default: 1 for min_id, 0 (no limit) for max_id"
749
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
750
#: sssd.conf.5.xml:516
751
msgid "timeout (integer)"
754
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
755
#: sssd.conf.5.xml:519
757
"Timeout in seconds between heartbeats for this domain. This is used to "
758
"ensure that the backend process is alive and capable of answering requests."
761
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
762
#: sssd.conf.5.xml:524
766
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
767
#: sssd.conf.5.xml:530
768
msgid "enumerate (bool)"
771
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
772
#: sssd.conf.5.xml:533
774
"Determines if a domain can be enumerated. This parameter can have one of the "
778
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
779
#: sssd.conf.5.xml:537
780
msgid "TRUE = Users and groups are enumerated"
783
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
784
#: sssd.conf.5.xml:540
785
msgid "FALSE = No enumerations for this domain"
788
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
789
#: sssd.conf.5.xml:543 sssd.conf.5.xml:591 sssd.conf.5.xml:645
790
msgid "Default: FALSE"
793
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
794
#: sssd.conf.5.xml:546
796
"Note: Enabling enumeration has a moderate performance impact on SSSD while "
797
"enumeration is running. It may take up to several minutes after SSSD startup "
798
"to fully complete enumerations. During this time, individual requests for "
799
"information will go directly to LDAP, though it may be slow, due to the "
800
"heavy enumeration processing."
803
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
804
#: sssd.conf.5.xml:556
806
"While the first enumeration is running, requests for the complete user or "
807
"group lists may return no results until it completes."
810
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
811
#: sssd.conf.5.xml:561
813
"Further, enabling enumeration may increase the time necessary to detect "
814
"network disconnection, as longer timeouts are required to ensure that "
815
"enumeration lookups are completed successfully. For more information, refer "
816
"to the man pages for the specific id_provider in use."
819
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
820
#: sssd.conf.5.xml:572
821
msgid "entry_cache_timeout (integer)"
824
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
825
#: sssd.conf.5.xml:575
827
"How many seconds should nss_sss consider entries valid before asking the "
831
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
832
#: sssd.conf.5.xml:579
833
msgid "Default: 5400"
836
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
837
#: sssd.conf.5.xml:584
838
msgid "cache_credentials (bool)"
841
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
842
#: sssd.conf.5.xml:587
843
msgid "Determines if user credentials are also cached in the local LDB cache"
846
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
847
#: sssd.conf.5.xml:596
848
msgid "account_cache_expiration (integer)"
851
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
852
#: sssd.conf.5.xml:599
854
"Number of days entries are left in cache after last successful login before "
855
"being removed during a cleanup of the cache. 0 means keep forever. The "
856
"value of this parameter must be greater than or equal to "
857
"offline_credentials_expiration."
860
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
861
#: sssd.conf.5.xml:606
862
msgid "Default: 0 (unlimited)"
865
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
866
#: sssd.conf.5.xml:612
867
msgid "id_provider (string)"
870
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
871
#: sssd.conf.5.xml:615
872
msgid "The Data Provider identity backend to use for this domain."
875
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
876
#: sssd.conf.5.xml:619
877
msgid "Supported backends:"
880
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
881
#: sssd.conf.5.xml:622
882
msgid "proxy: Support a legacy NSS provider"
885
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
886
#: sssd.conf.5.xml:625
887
msgid "local: SSSD internal local provider"
890
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
891
#: sssd.conf.5.xml:628
892
msgid "ldap: LDAP provider"
895
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
896
#: sssd.conf.5.xml:634
897
msgid "use_fully_qualified_names (bool)"
900
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
901
#: sssd.conf.5.xml:637
903
"If set to TRUE, all requests to this domain must use fully qualified names. "
904
"For example, if used in LOCAL domain that contains a \"test\" user, "
905
"<command>getent passwd test</command> wouldn't find the user while "
906
"<command>getent passwd test@LOCAL</command> would."
909
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
910
#: sssd.conf.5.xml:650
911
msgid "auth_provider (string)"
914
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
915
#: sssd.conf.5.xml:653
917
"The authentication provider used for the domain. Supported auth providers "
921
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
922
#: sssd.conf.5.xml:657
924
"<quote>ldap</quote> for native LDAP authentication. See <citerefentry> "
925
"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
926
"citerefentry> for more information on configuring LDAP."
929
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
930
#: sssd.conf.5.xml:664
932
"<quote>krb5</quote> for Kerberos authentication. See <citerefentry> "
933
"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
934
"citerefentry> for more information on configuring Kerberos."
937
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
938
#: sssd.conf.5.xml:671
940
"<quote>proxy</quote> for relaying authentication to some other PAM target."
943
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
944
#: sssd.conf.5.xml:674
945
msgid "<quote>none</quote> disables authentication explicitly."
948
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
949
#: sssd.conf.5.xml:677
951
"Default: <quote>id_provider</quote> is used if it is set and can handle "
952
"authentication requests."
955
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
956
#: sssd.conf.5.xml:683
957
msgid "access_provider (string)"
960
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
961
#: sssd.conf.5.xml:686
963
"The access control provider used for the domain. There are two built-in "
964
"access providers (in addition to any included in installed backends) "
965
"Internal special providers are:"
968
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
969
#: sssd.conf.5.xml:692
970
msgid "<quote>permit</quote> always allow access."
973
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
974
#: sssd.conf.5.xml:695
975
msgid "<quote>deny</quote> always deny access."
978
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
979
#: sssd.conf.5.xml:698
981
"<quote>simple</quote> access control based on access or deny lists. See "
982
"<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</"
983
"manvolnum></citerefentry> for more information on configuring the simple "
987
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
988
#: sssd.conf.5.xml:705
989
msgid "Default: <quote>permit</quote>"
992
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
993
#: sssd.conf.5.xml:710
994
msgid "chpass_provider (string)"
997
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
998
#: sssd.conf.5.xml:713
1000
"The provider which should handle change password operations for the domain. "
1001
"Supported change password providers are:"
1004
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1005
#: sssd.conf.5.xml:718
1007
"<quote>ipa</quote> to change a password stored in an IPA server. See "
1008
"<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</"
1009
"manvolnum> </citerefentry> for more information on configuring IPA."
1012
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1013
#: sssd.conf.5.xml:726
1015
"<quote>ldap</quote> to change a password stored in a LDAP server. See "
1016
"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
1017
"manvolnum> </citerefentry> for more information on configuring LDAP."
1020
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1021
#: sssd.conf.5.xml:734
1023
"<quote>krb5</quote> to change the Kerberos password. See <citerefentry> "
1024
"<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </"
1025
"citerefentry> for more information on configuring Kerberos."
1028
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1029
#: sssd.conf.5.xml:742
1031
"<quote>proxy</quote> for relaying password changes to some other PAM target."
1034
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1035
#: sssd.conf.5.xml:746
1036
msgid "<quote>none</quote> disallows password changes explicitly."
1039
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1040
#: sssd.conf.5.xml:749
1042
"Default: <quote>auth_provider</quote> is used if it is set and can handle "
1043
"change password requests."
1046
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1047
#: sssd.conf.5.xml:756
1048
msgid "lookup_family_order (string)"
1051
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1052
#: sssd.conf.5.xml:759
1054
"Provides the ability to select preferred address family to use when "
1055
"performing DNS lookups."
1058
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1059
#: sssd.conf.5.xml:763
1060
msgid "Supported values:"
1063
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1064
#: sssd.conf.5.xml:766
1065
msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6"
1068
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1069
#: sssd.conf.5.xml:769
1070
msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses."
1073
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1074
#: sssd.conf.5.xml:772
1075
msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4"
1078
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1079
#: sssd.conf.5.xml:775
1080
msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses."
1083
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1084
#: sssd.conf.5.xml:778
1085
msgid "Default: ipv4_first"
1088
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1089
#: sssd.conf.5.xml:784
1090
msgid "dns_resolver_timeout (integer)"
1093
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1094
#: sssd.conf.5.xml:787
1096
"Defines the amount of time (in seconds) to wait for a reply from the DNS "
1097
"resolver before assuming that it is unreachable. If this timeout is reached, "
1098
"the domain will continue to operate in offline mode."
1101
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1102
#: sssd.conf.5.xml:799
1103
msgid "dns_discovery_domain (string)"
1106
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1107
#: sssd.conf.5.xml:802
1109
"If service discovery is used in the back end, specifies the domain part of "
1110
"the service discovery DNS query."
1113
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1114
#: sssd.conf.5.xml:806
1115
msgid "Default: Use the domain part of machine's hostname"
1118
#. type: Content of: <reference><refentry><refsect1><para>
1119
#: sssd.conf.5.xml:490
1121
"These configuration options can be present in a domain configuration "
1122
"section, that is, in a section called <quote>[domain/<replaceable>NAME</"
1123
"replaceable>]</quote> <placeholder type=\"variablelist\" id=\"0\"/>"
1126
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1127
#: sssd.conf.5.xml:818
1128
msgid "proxy_pam_target (string)"
1131
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1132
#: sssd.conf.5.xml:821
1133
msgid "The proxy target PAM proxies to."
1136
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1137
#: sssd.conf.5.xml:824
1139
"Default: not set by default, you have to take an existing pam configuration "
1140
"or create a new one and add the service name here."
1143
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1144
#: sssd.conf.5.xml:832
1145
msgid "proxy_lib_name (string)"
1148
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1149
#: sssd.conf.5.xml:835
1151
"The name of the NSS library to use in proxy domains. The NSS functions "
1152
"searched for in the library are in the form of _nss_$(libName)_$(function), "
1153
"for example _nss_files_getpwent."
1156
#. type: Content of: <reference><refentry><refsect1><para>
1157
#: sssd.conf.5.xml:814
1159
"Options valid for proxy domains. <placeholder type=\"variablelist\" id="
1163
#. type: Content of: <reference><refentry><refsect1><refsect2><title>
1164
#: sssd.conf.5.xml:847
1165
msgid "The local domain section"
1168
#. type: Content of: <reference><refentry><refsect1><refsect2><para>
1169
#: sssd.conf.5.xml:849
1171
"This section contains settings for domain that stores users and groups in "
1172
"SSSD native database, that is, a domain that uses "
1173
"<replaceable>id_provider=local</replaceable>."
1176
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
1177
#: sssd.conf.5.xml:856
1178
msgid "default_shell (string)"
1181
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
1182
#: sssd.conf.5.xml:859
1183
msgid "The default shell for users created with SSSD userspace tools."
1186
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
1187
#: sssd.conf.5.xml:863
1188
msgid "Default: <filename>/bin/bash</filename>"
1191
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
1192
#: sssd.conf.5.xml:868
1193
msgid "base_directory (string)"
1196
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
1197
#: sssd.conf.5.xml:871
1199
"The tools append the login name to <replaceable>base_directory</replaceable> "
1200
"and use that as the home directory."
1203
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
1204
#: sssd.conf.5.xml:876
1205
msgid "Default: <filename>/home</filename>"
1208
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
1209
#: sssd.conf.5.xml:881
1210
msgid "create_homedir (bool)"
1213
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
1214
#: sssd.conf.5.xml:884
1216
"Indicate if a home directory should be created by default for new users. "
1217
"Can be overridden on command line."
1220
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
1221
#: sssd.conf.5.xml:888 sssd.conf.5.xml:900
1222
msgid "Default: TRUE"
1225
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
1226
#: sssd.conf.5.xml:893
1227
msgid "remove_homedir (bool)"
1230
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
1231
#: sssd.conf.5.xml:896
1233
"Indicate if a home directory should be removed by default for deleted "
1234
"users. Can be overridden on command line."
1237
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
1238
#: sssd.conf.5.xml:905
1239
msgid "homedir_umask (integer)"
1242
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
1243
#: sssd.conf.5.xml:908
1245
"Used by <citerefentry> <refentrytitle>sss_useradd</refentrytitle> "
1246
"<manvolnum>8</manvolnum> </citerefentry> to specify the default permissions "
1247
"on a newly created home directory."
1250
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
1251
#: sssd.conf.5.xml:916
1252
msgid "Default: 077"
1255
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
1256
#: sssd.conf.5.xml:921
1257
msgid "skel_dir (string)"
1260
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
1261
#: sssd.conf.5.xml:924
1263
"The skeleton directory, which contains files and directories to be copied in "
1264
"the user's home directory, when the home directory is created by "
1265
"<citerefentry> <refentrytitle>sss_useradd</refentrytitle> <manvolnum>8</"
1266
"manvolnum> </citerefentry>"
1269
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
1270
#: sssd.conf.5.xml:934
1271
msgid "Default: <filename>/etc/skel</filename>"
1274
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
1275
#: sssd.conf.5.xml:939
1276
msgid "mail_dir (string)"
1279
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
1280
#: sssd.conf.5.xml:942
1282
"The mail spool directory. This is needed to manipulate the mailbox when its "
1283
"corresponding user account is modified or deleted. If not specified, a "
1284
"default value is used."
1287
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
1288
#: sssd.conf.5.xml:949
1289
msgid "Default: <filename>/var/mail</filename>"
1292
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term>
1293
#: sssd.conf.5.xml:954
1294
msgid "userdel_cmd (string)"
1297
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
1298
#: sssd.conf.5.xml:957
1300
"The command that is run after a user is removed. The command us passed the "
1301
"username of the user being removed as the first and only parameter. The "
1302
"return code of the command is not taken into account."
1305
#. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para>
1306
#: sssd.conf.5.xml:963
1307
msgid "Default: None, no command is run"
1310
#. type: Content of: <reference><refentry><refsect1><title>
1311
#: sssd.conf.5.xml:973 sssd-ldap.5.xml:1386 sssd-simple.5.xml:126
1312
#: sssd-ipa.5.xml:188 sssd-krb5.5.xml:405
1316
#. type: Content of: <reference><refentry><refsect1><para><programlisting>
1317
#: sssd.conf.5.xml:979
1322
"services = nss, pam\n"
1323
"config_file_version = 2\n"
1326
"filter_groups = root\n"
1327
"filter_users = root\n"
1332
"id_provider = ldap\n"
1333
"ldap_uri = ldap://ldap.example.com\n"
1334
"ldap_search_base = dc=example,dc=com\n"
1336
"auth_provider = krb5\n"
1337
"krb5_server = kerberos.example.com\n"
1338
"krb5_realm = EXAMPLE.COM\n"
1339
"cache_credentials = true\n"
1343
"enumerate = False\n"
1346
#. type: Content of: <reference><refentry><refsect1><para>
1347
#: sssd.conf.5.xml:975
1349
"The following example shows a typical SSSD config. It does not describe "
1350
"configuration of the domains themselves - refer to documentation on "
1351
"configuring domains for more details. <placeholder type=\"programlisting\" "
1355
#. type: Content of: <reference><refentry><refsect1><para>
1356
#: sssd.conf.5.xml:1010
1358
"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</"
1359
"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
1360
"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
1361
"<refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum> </"
1362
"citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</"
1363
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
1364
"<refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum> </"
1365
"citerefentry>, <citerefentry> <refentrytitle>sss_useradd</"
1366
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
1367
"<refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> </"
1368
"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
1369
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
1370
"<refentrytitle>pam_sss</refentrytitle><manvolnum>8</manvolnum> </"
1374
#. type: Content of: <reference><refentry><refnamediv><refname>
1375
#: sssd-ldap.5.xml:10 sssd-ldap.5.xml:16
1379
#. type: Content of: <reference><refentry><refsect1><para>
1380
#: sssd-ldap.5.xml:23
1382
"This manual page describes the configuration of LDAP domains for "
1383
"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
1384
"</citerefentry>. Refer to the <quote>FILE FORMAT</quote> section of the "
1385
"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
1386
"manvolnum> </citerefentry> manual page for detailed syntax information."
1389
#. type: Content of: <reference><refentry><refsect1><para>
1390
#: sssd-ldap.5.xml:35
1391
msgid "You can configure SSSD to use more than one LDAP domain."
1394
#. type: Content of: <reference><refentry><refsect1><para>
1395
#: sssd-ldap.5.xml:38
1397
"LDAP back end supports id, auth, access and chpass providers. If you want to "
1398
"authenticate against an LDAP server either TLS/SSL or LDAPS is required. "
1399
"<command>sssd</command> <emphasis>does not</emphasis> support authentication "
1400
"over an unencrypted channel. If the LDAP server is used only as an identity "
1401
"provider, an encrypted channel is not needed. Please refer to "
1402
"<quote>ldap_access_filter</quote> config option for more information about "
1403
"using LDAP as an access provider."
1406
#. type: Content of: <reference><refentry><refsect1><title>
1407
#: sssd-ldap.5.xml:49 sssd-simple.5.xml:69 sssd-ipa.5.xml:61
1408
#: sssd-krb5.5.xml:63
1409
msgid "CONFIGURATION OPTIONS"
1412
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1413
#: sssd-ldap.5.xml:60
1414
msgid "ldap_uri (string)"
1417
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1418
#: sssd-ldap.5.xml:63
1420
"Specifies the comma-separated list of URIs of the LDAP servers to which SSSD "
1421
"should connect in the order of preference. Refer to the <quote>FAILOVER</"
1422
"quote> section for more information on failover and server redundancy. If "
1423
"not specified, service discovery is enabled. For more information, refer to "
1424
"the <quote>SERVICE DISCOVERY</quote> section."
1427
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1428
#: sssd-ldap.5.xml:70
1429
msgid "The format of the URI must match the format defined in RFC 2732:"
1432
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1433
#: sssd-ldap.5.xml:73
1434
msgid "ldap[s]://<host>[:port]"
1437
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1438
#: sssd-ldap.5.xml:76
1440
"For explicit IPv6 addresses, <host> must be enclosed in brackets []"
1443
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1444
#: sssd-ldap.5.xml:79
1445
msgid "example: ldap://[fc00::126:25]:389"
1448
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1449
#: sssd-ldap.5.xml:85
1450
msgid "ldap_chpass_uri (string)"
1453
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1454
#: sssd-ldap.5.xml:88
1456
"Specifies the list of URIs of the LDAP servers to which SSSD should connect "
1457
"in the order of preference to change the password of a user. Refer to the "
1458
"<quote>FAILOVER</quote> section for more information on failover and server "
1462
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1463
#: sssd-ldap.5.xml:95
1464
msgid "To enable service discovery ldap_chpass_dns_service_name must be set."
1467
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1468
#: sssd-ldap.5.xml:99
1469
msgid "Default: empty, i.e. ldap_uri is used."
1472
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1473
#: sssd-ldap.5.xml:105
1474
msgid "ldap_search_base (string)"
1477
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1478
#: sssd-ldap.5.xml:108
1479
msgid "The default base DN to use for performing LDAP user operations."
1482
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1483
#: sssd-ldap.5.xml:112
1485
"Default: If not set the value of the defaultNamingContext or namingContexts "
1486
"attribute from the RootDSE of the LDAP server is used. If "
1487
"defaultNamingContext does not exists or has an empty value namingContexts is "
1488
"used. The namingContexts attribute must have a single value with the DN of "
1489
"the search base of the LDAP server to make this work. Multiple values are "
1490
"are not supported."
1493
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1494
#: sssd-ldap.5.xml:126
1495
msgid "ldap_schema (string)"
1498
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1499
#: sssd-ldap.5.xml:129
1501
"Specifies the Schema Type in use on the target LDAP server. Depending on "
1502
"the selected schema, the default attribute names retrieved from the servers "
1503
"may vary. The way that some attributes are handled may also differ. Three "
1504
"schema types are currently supported: rfc2307 rfc2307bis IPA The main "
1505
"difference between these schema types is how group memberships are recorded "
1506
"in the server. With rfc2307, group members are listed by name in the "
1507
"<emphasis>memberUid</emphasis> attribute. With rfc2307bis and IPA, group "
1508
"members are listed by DN and stored in the <emphasis>member</emphasis> "
1512
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1513
#: sssd-ldap.5.xml:148
1514
msgid "Default: rfc2307"
1517
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1518
#: sssd-ldap.5.xml:154
1519
msgid "ldap_default_bind_dn (string)"
1522
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1523
#: sssd-ldap.5.xml:157
1524
msgid "The default bind DN to use for performing LDAP operations."
1527
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1528
#: sssd-ldap.5.xml:164
1529
msgid "ldap_default_authtok_type (string)"
1532
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1533
#: sssd-ldap.5.xml:167
1534
msgid "The type of the authentication token of the default bind DN."
1537
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1538
#: sssd-ldap.5.xml:171
1539
msgid "The two mechanisms currently supported are:"
1542
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1543
#: sssd-ldap.5.xml:174
1547
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1548
#: sssd-ldap.5.xml:177
1549
msgid "obfuscated_password"
1552
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1553
#: sssd-ldap.5.xml:180
1554
msgid "default: password"
1557
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1558
#: sssd-ldap.5.xml:186
1559
msgid "ldap_default_authtok (string)"
1562
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1563
#: sssd-ldap.5.xml:189
1565
"The authentication token of the default bind DN. Only clear text passwords "
1566
"are currently supported."
1569
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1570
#: sssd-ldap.5.xml:196
1571
msgid "ldap_user_object_class (string)"
1574
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1575
#: sssd-ldap.5.xml:199
1576
msgid "The object class of a user entry in LDAP."
1579
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1580
#: sssd-ldap.5.xml:202
1581
msgid "Default: posixAccount"
1584
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1585
#: sssd-ldap.5.xml:208
1586
msgid "ldap_user_name (string)"
1589
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1590
#: sssd-ldap.5.xml:211
1591
msgid "The LDAP attribute that corresponds to the user's login name."
1594
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1595
#: sssd-ldap.5.xml:215
1596
msgid "Default: uid"
1599
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1600
#: sssd-ldap.5.xml:221
1601
msgid "ldap_user_uid_number (string)"
1604
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1605
#: sssd-ldap.5.xml:224
1606
msgid "The LDAP attribute that corresponds to the user's id."
1609
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1610
#: sssd-ldap.5.xml:228
1611
msgid "Default: uidNumber"
1614
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1615
#: sssd-ldap.5.xml:234
1616
msgid "ldap_user_gid_number (string)"
1619
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1620
#: sssd-ldap.5.xml:237
1621
msgid "The LDAP attribute that corresponds to the user's primary group id."
1624
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1625
#: sssd-ldap.5.xml:241 sssd-ldap.5.xml:637
1626
msgid "Default: gidNumber"
1629
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1630
#: sssd-ldap.5.xml:247
1631
msgid "ldap_user_gecos (string)"
1634
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1635
#: sssd-ldap.5.xml:250
1636
msgid "The LDAP attribute that corresponds to the user's gecos field."
1639
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1640
#: sssd-ldap.5.xml:254
1641
msgid "Default: gecos"
1644
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1645
#: sssd-ldap.5.xml:260
1646
msgid "ldap_user_home_directory (string)"
1649
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1650
#: sssd-ldap.5.xml:263
1651
msgid "The LDAP attribute that contains the name of the user's home directory."
1654
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1655
#: sssd-ldap.5.xml:267
1656
msgid "Default: homeDirectory"
1659
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1660
#: sssd-ldap.5.xml:273
1661
msgid "ldap_user_shell (string)"
1664
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1665
#: sssd-ldap.5.xml:276
1666
msgid "The LDAP attribute that contains the path to the user's default shell."
1669
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1670
#: sssd-ldap.5.xml:280
1671
msgid "Default: loginShell"
1674
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1675
#: sssd-ldap.5.xml:286
1676
msgid "ldap_user_uuid (string)"
1679
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1680
#: sssd-ldap.5.xml:289
1681
msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object."
1684
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1685
#: sssd-ldap.5.xml:293 sssd-ldap.5.xml:663 sssd-ldap.5.xml:756
1686
msgid "Default: nsUniqueId"
1689
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1690
#: sssd-ldap.5.xml:299
1691
msgid "ldap_user_modify_timestamp (string)"
1694
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1695
#: sssd-ldap.5.xml:302 sssd-ldap.5.xml:672 sssd-ldap.5.xml:765
1697
"The LDAP attribute that contains timestamp of the last modification of the "
1701
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1702
#: sssd-ldap.5.xml:306 sssd-ldap.5.xml:676 sssd-ldap.5.xml:769
1703
msgid "Default: modifyTimestamp"
1706
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1707
#: sssd-ldap.5.xml:312
1708
msgid "ldap_user_shadow_last_change (string)"
1711
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1712
#: sssd-ldap.5.xml:315
1714
"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
1715
"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
1716
"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of "
1717
"the last password change)."
1720
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1721
#: sssd-ldap.5.xml:325
1722
msgid "Default: shadowLastChange"
1725
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1726
#: sssd-ldap.5.xml:331
1727
msgid "ldap_user_shadow_min (string)"
1730
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1731
#: sssd-ldap.5.xml:334
1733
"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
1734
"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
1735
"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum "
1739
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1740
#: sssd-ldap.5.xml:343
1741
msgid "Default: shadowMin"
1744
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1745
#: sssd-ldap.5.xml:349
1746
msgid "ldap_user_shadow_max (string)"
1749
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1750
#: sssd-ldap.5.xml:352
1752
"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
1753
"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
1754
"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum "
1758
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1759
#: sssd-ldap.5.xml:361
1760
msgid "Default: shadowMax"
1763
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1764
#: sssd-ldap.5.xml:367
1765
msgid "ldap_user_shadow_warning (string)"
1768
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1769
#: sssd-ldap.5.xml:370
1771
"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
1772
"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
1773
"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart "
1774
"(password warning period)."
1777
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1778
#: sssd-ldap.5.xml:380
1779
msgid "Default: shadowWarning"
1782
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1783
#: sssd-ldap.5.xml:386
1784
msgid "ldap_user_shadow_inactive (string)"
1787
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1788
#: sssd-ldap.5.xml:389
1790
"When using ldap_pwd_policy=shadow, this parameter contains the name of an "
1791
"LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</"
1792
"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart "
1793
"(password inactivity period)."
1796
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1797
#: sssd-ldap.5.xml:399
1798
msgid "Default: shadowInactive"
1801
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1802
#: sssd-ldap.5.xml:405
1803
msgid "ldap_user_shadow_expire (string)"
1806
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1807
#: sssd-ldap.5.xml:408
1809
"When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this "
1810
"parameter contains the name of an LDAP attribute corresponding to its "
1811
"<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</"
1812
"manvolnum> </citerefentry> counterpart (account expiration date)."
1815
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1816
#: sssd-ldap.5.xml:418
1817
msgid "Default: shadowExpire"
1820
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1821
#: sssd-ldap.5.xml:424
1822
msgid "ldap_user_krb_last_pwd_change (string)"
1825
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1826
#: sssd-ldap.5.xml:427
1828
"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
1829
"an LDAP attribute storing the date and time of last password change in "
1833
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1834
#: sssd-ldap.5.xml:433
1835
msgid "Default: krbLastPwdChange"
1838
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1839
#: sssd-ldap.5.xml:439
1840
msgid "ldap_user_krb_password_expiration (string)"
1843
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1844
#: sssd-ldap.5.xml:442
1846
"When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of "
1847
"an LDAP attribute storing the date and time when current password expires."
1850
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1851
#: sssd-ldap.5.xml:448
1852
msgid "Default: krbPasswordExpiration"
1855
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1856
#: sssd-ldap.5.xml:454
1857
msgid "ldap_user_ad_account_expires (string)"
1860
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1861
#: sssd-ldap.5.xml:457
1863
"When using ldap_account_expire_policy=ad, this parameter contains the name "
1864
"of an LDAP attribute storing the expiration time of the account."
1867
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1868
#: sssd-ldap.5.xml:462
1869
msgid "Default: accountExpires"
1872
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1873
#: sssd-ldap.5.xml:468
1874
msgid "ldap_user_ad_user_account_control (string)"
1877
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1878
#: sssd-ldap.5.xml:471
1880
"When using ldap_account_expire_policy=ad, this parameter contains the name "
1881
"of an LDAP attribute storing the user account control bit field."
1884
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1885
#: sssd-ldap.5.xml:476
1886
msgid "Default: userAccountControl"
1889
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1890
#: sssd-ldap.5.xml:482
1891
msgid "ldap_ns_account_lock (string)"
1894
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1895
#: sssd-ldap.5.xml:485
1897
"When using ldap_account_expire_policy=rhds or equivalent, this parameter "
1898
"determines if access is allowed or not."
1901
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1902
#: sssd-ldap.5.xml:490
1903
msgid "Default: nsAccountLock"
1906
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1907
#: sssd-ldap.5.xml:496
1908
msgid "ldap_user_principal (string)"
1911
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1912
#: sssd-ldap.5.xml:499
1914
"The LDAP attribute that contains the user's Kerberos User Principal Name "
1918
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1919
#: sssd-ldap.5.xml:503
1920
msgid "Default: krbPrincipalName"
1923
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1924
#: sssd-ldap.5.xml:509
1925
msgid "ldap_force_upper_case_realm (boolean)"
1928
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1929
#: sssd-ldap.5.xml:512
1931
"Some directory servers, for example Active Directory, might deliver the "
1932
"realm part of the UPN in lower case, which might cause the authentication to "
1933
"fail. Set this option to a non-zero value if you want to use an upper-case "
1937
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1938
#: sssd-ldap.5.xml:519 sssd-ldap.5.xml:990 sssd-ipa.5.xml:115 sssd.8.xml:64
1939
#: sssd-krb5.5.xml:235 sssd-krb5.5.xml:266
1940
msgid "Default: false"
1943
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1944
#: sssd-ldap.5.xml:525
1945
msgid "ldap_enumeration_refresh_timeout (integer)"
1948
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1949
#: sssd-ldap.5.xml:528
1951
"The LDAP attribute that contains how many seconds SSSD has to wait before "
1952
"refreshing its cache of enumerated records."
1955
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1956
#: sssd-ldap.5.xml:533
1957
msgid "Default: 300"
1960
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1961
#: sssd-ldap.5.xml:539
1962
msgid "ldap_purge_cache_timeout"
1965
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1966
#: sssd-ldap.5.xml:542
1968
"Determine how often to check the cache for inactive entries (such as groups "
1969
"with no members and users who have never logged in) and remove them to save "
1973
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1974
#: sssd-ldap.5.xml:548
1975
msgid "Setting this option to zero will disable the cache cleanup operation."
1978
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1979
#: sssd-ldap.5.xml:552
1980
msgid "Default: 10800 (12 hours)"
1983
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1984
#: sssd-ldap.5.xml:558
1985
msgid "ldap_user_fullname (string)"
1988
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1989
#: sssd-ldap.5.xml:561
1990
msgid "The LDAP attribute that corresponds to the user's full name."
1993
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
1994
#: sssd-ldap.5.xml:565 sssd-ldap.5.xml:624 sssd-ldap.5.xml:717
1998
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
1999
#: sssd-ldap.5.xml:571
2000
msgid "ldap_user_member_of (string)"
2003
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2004
#: sssd-ldap.5.xml:574
2005
msgid "The LDAP attribute that lists the user's group memberships."
2008
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2009
#: sssd-ldap.5.xml:578
2010
msgid "Default: memberOf"
2013
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2014
#: sssd-ldap.5.xml:584
2015
msgid "ldap_user_authorized_service (string)"
2018
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2019
#: sssd-ldap.5.xml:587
2021
"If access_provider=ldap and ldap_access_order=authorized_service, SSSD will "
2022
"use the presence of the authorizedService attribute in the user's LDAP entry "
2023
"to determine access privilege."
2026
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2027
#: sssd-ldap.5.xml:594
2029
"An explicit deny (!svc) is resolved first. Second, SSSD searches for "
2030
"explicit allow (svc) and finally for allow_all (*)."
2033
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2034
#: sssd-ldap.5.xml:599
2035
msgid "Default: authorizedService"
2038
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2039
#: sssd-ldap.5.xml:605
2040
msgid "ldap_group_object_class (string)"
2043
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2044
#: sssd-ldap.5.xml:608
2045
msgid "The object class of a group entry in LDAP."
2048
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2049
#: sssd-ldap.5.xml:611
2050
msgid "Default: posixGroup"
2053
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2054
#: sssd-ldap.5.xml:617
2055
msgid "ldap_group_name (string)"
2058
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2059
#: sssd-ldap.5.xml:620
2060
msgid "The LDAP attribute that corresponds to the group name."
2063
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2064
#: sssd-ldap.5.xml:630
2065
msgid "ldap_group_gid_number (string)"
2068
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2069
#: sssd-ldap.5.xml:633
2070
msgid "The LDAP attribute that corresponds to the group's id."
2073
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2074
#: sssd-ldap.5.xml:643
2075
msgid "ldap_group_member (string)"
2078
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2079
#: sssd-ldap.5.xml:646
2080
msgid "The LDAP attribute that contains the names of the group's members."
2083
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2084
#: sssd-ldap.5.xml:650
2085
msgid "Default: memberuid (rfc2307) / member (rfc2307bis)"
2088
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2089
#: sssd-ldap.5.xml:656
2090
msgid "ldap_group_uuid (string)"
2093
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2094
#: sssd-ldap.5.xml:659
2095
msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object."
2098
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2099
#: sssd-ldap.5.xml:669
2100
msgid "ldap_group_modify_timestamp (string)"
2103
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2104
#: sssd-ldap.5.xml:682
2105
msgid "ldap_group_nesting_level (integer)"
2108
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2109
#: sssd-ldap.5.xml:685
2111
"If ldap_schema is set to a schema format that supports nested groups (e.g. "
2112
"RFC2307bis), then this option controls how many levels of nesting SSSD will "
2113
"follow. This option has no effect on the RFC2307 schema."
2116
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2117
#: sssd-ldap.5.xml:692
2121
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2122
#: sssd-ldap.5.xml:698
2123
msgid "ldap_netgroup_object_class (string)"
2126
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2127
#: sssd-ldap.5.xml:701
2128
msgid "The object class of a netgroup entry in LDAP."
2131
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2132
#: sssd-ldap.5.xml:704
2133
msgid "Default: nisNetgroup"
2136
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2137
#: sssd-ldap.5.xml:710
2138
msgid "ldap_netgroup_name (string)"
2141
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2142
#: sssd-ldap.5.xml:713
2143
msgid "The LDAP attribute that corresponds to the netgroup name."
2146
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2147
#: sssd-ldap.5.xml:723
2148
msgid "ldap_netgroup_member (string)"
2151
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2152
#: sssd-ldap.5.xml:726
2153
msgid "The LDAP attribute that contains the names of the netgroup's members."
2156
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2157
#: sssd-ldap.5.xml:730
2158
msgid "Default: memberNisNetgroup"
2161
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2162
#: sssd-ldap.5.xml:736
2163
msgid "ldap_netgroup_triple (string)"
2166
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2167
#: sssd-ldap.5.xml:739
2169
"The LDAP attribute that contains the (host, user, domain) netgroup triples."
2172
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2173
#: sssd-ldap.5.xml:743
2174
msgid "Default: nisNetgroupTriple"
2177
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2178
#: sssd-ldap.5.xml:749
2179
msgid "ldap_netgroup_uuid (string)"
2182
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2183
#: sssd-ldap.5.xml:752
2185
"The LDAP attribute that contains the UUID/GUID of an LDAP netgroup object."
2188
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2189
#: sssd-ldap.5.xml:762
2190
msgid "ldap_netgroup_modify_timestamp (string)"
2193
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2194
#: sssd-ldap.5.xml:775
2195
msgid "ldap_search_timeout (integer)"
2198
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2199
#: sssd-ldap.5.xml:778
2201
"Specifies the timeout (in seconds) that ldap searches are allowed to run "
2202
"before they are cancelled and cached results are returned (and offline mode "
2206
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2207
#: sssd-ldap.5.xml:784
2209
"Note: this option is subject to change in future versions of the SSSD. It "
2210
"will likely be replaced at some point by a series of timeouts for specific "
2214
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2215
#: sssd-ldap.5.xml:790 sssd-ldap.5.xml:832 sssd-ldap.5.xml:847
2219
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2220
#: sssd-ldap.5.xml:796
2221
msgid "ldap_enumeration_search_timeout (integer)"
2224
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2225
#: sssd-ldap.5.xml:799
2227
"Specifies the timeout (in seconds) that ldap searches for user and group "
2228
"enumerations are allowed to run before they are cancelled and cached results "
2229
"are returned (and offline mode is entered)"
2232
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2233
#: sssd-ldap.5.xml:806
2237
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2238
#: sssd-ldap.5.xml:812
2239
msgid "ldap_network_timeout (integer)"
2242
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2243
#: sssd-ldap.5.xml:815
2245
"Specifies the timeout (in seconds) after which the <citerefentry> "
2246
"<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/"
2247
"<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</"
2248
"manvolnum> </citerefentry> following a <citerefentry> "
2249
"<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </"
2250
"citerefentry> returns in case of no activity."
2253
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2254
#: sssd-ldap.5.xml:838
2255
msgid "ldap_opt_timeout (integer)"
2258
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2259
#: sssd-ldap.5.xml:841
2261
"Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs "
2262
"will abort if no response is received. Also controls the timeout when "
2263
"communicating with the KDC in case of SASL bind."
2266
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2267
#: sssd-ldap.5.xml:853
2268
msgid "ldap_page_size (integer)"
2271
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2272
#: sssd-ldap.5.xml:856
2274
"Specify the number of records to retrieve from LDAP in a single request. "
2275
"Some LDAP servers enforce a maximum limit per-request."
2278
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2279
#: sssd-ldap.5.xml:861
2280
msgid "Default: 1000"
2283
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2284
#: sssd-ldap.5.xml:867
2285
msgid "ldap_tls_reqcert (string)"
2288
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2289
#: sssd-ldap.5.xml:870
2291
"Specifies what checks to perform on server certificates in a TLS session, if "
2292
"any. It can be specified as one of the following values:"
2295
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2296
#: sssd-ldap.5.xml:876
2298
"<emphasis>never</emphasis> = The client will not request or check any server "
2302
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2303
#: sssd-ldap.5.xml:880
2305
"<emphasis>allow</emphasis> = The server certificate is requested. If no "
2306
"certificate is provided, the session proceeds normally. If a bad certificate "
2307
"is provided, it will be ignored and the session proceeds normally."
2310
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2311
#: sssd-ldap.5.xml:887
2313
"<emphasis>try</emphasis> = The server certificate is requested. If no "
2314
"certificate is provided, the session proceeds normally. If a bad certificate "
2315
"is provided, the session is immediately terminated."
2318
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2319
#: sssd-ldap.5.xml:893
2321
"<emphasis>demand</emphasis> = The server certificate is requested. If no "
2322
"certificate is provided, or a bad certificate is provided, the session is "
2323
"immediately terminated."
2326
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2327
#: sssd-ldap.5.xml:899
2328
msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>"
2331
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2332
#: sssd-ldap.5.xml:903
2333
msgid "Default: hard"
2336
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2337
#: sssd-ldap.5.xml:909
2338
msgid "ldap_tls_cacert (string)"
2341
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2342
#: sssd-ldap.5.xml:912
2344
"Specifies the file that contains certificates for all of the Certificate "
2345
"Authorities that <command>sssd</command> will recognize."
2348
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2349
#: sssd-ldap.5.xml:917 sssd-ldap.5.xml:935 sssd-ldap.5.xml:976
2351
"Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap."
2355
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2356
#: sssd-ldap.5.xml:924
2357
msgid "ldap_tls_cacertdir (string)"
2360
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2361
#: sssd-ldap.5.xml:927
2363
"Specifies the path of a directory that contains Certificate Authority "
2364
"certificates in separate individual files. Typically the file names need to "
2365
"be the hash of the certificate followed by '.0'. If available, "
2366
"<command>cacertdir_rehash</command> can be used to create the correct names."
2369
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2370
#: sssd-ldap.5.xml:942
2371
msgid "ldap_tls_cert (string)"
2374
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2375
#: sssd-ldap.5.xml:945
2376
msgid "Specifies the file that contains the certificate for the client's key."
2379
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2380
#: sssd-ldap.5.xml:949 sssd-ldap.5.xml:961 sssd-krb5.5.xml:356
2381
msgid "Default: not set"
2384
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2385
#: sssd-ldap.5.xml:955
2386
msgid "ldap_tls_key (string)"
2389
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2390
#: sssd-ldap.5.xml:958
2391
msgid "Specifies the file that contains the client's key."
2394
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2395
#: sssd-ldap.5.xml:967
2396
msgid "ldap_tls_cipher_suite (string)"
2399
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2400
#: sssd-ldap.5.xml:970
2402
"Specifies acceptable cipher suites. Typically this is a colon sperated "
2403
"list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> "
2404
"<manvolnum>5</manvolnum></citerefentry> for format."
2407
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2408
#: sssd-ldap.5.xml:983
2409
msgid "ldap_id_use_start_tls (boolean)"
2412
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2413
#: sssd-ldap.5.xml:986
2415
"Specifies that the id_provider connection must also use <systemitem class="
2416
"\"protocol\">tls</systemitem> to protect the channel."
2419
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2420
#: sssd-ldap.5.xml:996
2421
msgid "ldap_sasl_mech (string)"
2424
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2425
#: sssd-ldap.5.xml:999
2427
"Specify the SASL mechanism to use. Currently only GSSAPI is tested and "
2431
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2432
#: sssd-ldap.5.xml:1003 sssd-ldap.5.xml:1131
2433
msgid "Default: none"
2436
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2437
#: sssd-ldap.5.xml:1009
2438
msgid "ldap_sasl_authid (string)"
2441
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2442
#: sssd-ldap.5.xml:1012
2444
"Specify the SASL authorization id to use. When GSSAPI is used, this "
2445
"represents the Kerberos principal used for authentication to the directory."
2448
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2449
#: sssd-ldap.5.xml:1017
2450
msgid "Default: host/machine.fqdn@REALM"
2453
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2454
#: sssd-ldap.5.xml:1023
2455
msgid "ldap_krb5_keytab (string)"
2458
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2459
#: sssd-ldap.5.xml:1026
2460
msgid "Specify the keytab to use when using SASL/GSSAPI."
2463
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2464
#: sssd-ldap.5.xml:1029
2465
msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>"
2468
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2469
#: sssd-ldap.5.xml:1035
2470
msgid "ldap_krb5_init_creds (boolean)"
2473
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2474
#: sssd-ldap.5.xml:1038
2476
"Specifies that the id_provider should init Kerberos credentials (TGT). This "
2477
"action is performed only if SASL is used and the mechanism selected is "
2481
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2482
#: sssd-ldap.5.xml:1050
2483
msgid "ldap_krb5_ticket_lifetime (integer)"
2486
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2487
#: sssd-ldap.5.xml:1053
2488
msgid "Specifies the lifetime in seconds of the TGT if GSSAPI is used."
2491
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2492
#: sssd-ldap.5.xml:1057
2493
msgid "Default: 86400 (24 hours)"
2496
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2497
#: sssd-ldap.5.xml:1063 sssd-krb5.5.xml:74
2498
msgid "krb5_server (string)"
2501
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2502
#: sssd-ldap.5.xml:1066 sssd-krb5.5.xml:77
2504
"Specifies the list of IP addresses or hostnames of the Kerberos servers to "
2505
"which SSSD should connect in the order of preference. For more information "
2506
"on failover and server redundancy, see the <quote>FAILOVER</quote> section. "
2507
"An optional port number (preceded by a colon) may be appended to the "
2508
"addresses or hostnames. If empty, service discovery is enabled - for more "
2509
"information, refer to the <quote>SERVICE DISCOVERY</quote> section."
2512
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2513
#: sssd-ldap.5.xml:1078 sssd-krb5.5.xml:89
2515
"When using service discovery for KDC or kpasswd servers, SSSD first searches "
2516
"for DNS entries that specify _udp as the protocol and falls back to _tcp if "
2520
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2521
#: sssd-ldap.5.xml:1083 sssd-krb5.5.xml:94
2523
"This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. "
2524
"While the legacy name is recognized for the time being, users are advised to "
2525
"migrate their config files to use <quote>krb5_server</quote> instead."
2528
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2529
#: sssd-ldap.5.xml:1092 sssd-ipa.5.xml:165 sssd-krb5.5.xml:103
2530
msgid "krb5_realm (string)"
2533
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2534
#: sssd-ldap.5.xml:1095
2535
msgid "Specify the Kerberos REALM (for SASL/GSSAPI auth)."
2538
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2539
#: sssd-ldap.5.xml:1098
2540
msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>"
2543
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2544
#: sssd-ldap.5.xml:1104
2545
msgid "ldap_pwd_policy (string)"
2548
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2549
#: sssd-ldap.5.xml:1107
2551
"Select the policy to evaluate the password expiration on the client side. "
2552
"The following values are allowed:"
2555
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2556
#: sssd-ldap.5.xml:1112
2558
"<emphasis>none</emphasis> - No evaluation on the client side. This option "
2559
"cannot disable server-side password policies."
2562
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2563
#: sssd-ldap.5.xml:1117
2565
"<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</"
2566
"refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to "
2567
"evaluate if the password has expired. Note that the current version of sssd "
2568
"cannot update this attribute during a password change."
2571
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2572
#: sssd-ldap.5.xml:1125
2574
"<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos "
2575
"to determine if the password has expired. Use chpass_provider=krb5 to update "
2576
"these attributes when the password is changed."
2579
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2580
#: sssd-ldap.5.xml:1137
2581
msgid "ldap_referrals (boolean)"
2584
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2585
#: sssd-ldap.5.xml:1140
2586
msgid "Specifies whether automatic referral chasing should be enabled."
2589
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2590
#: sssd-ldap.5.xml:1144
2592
"Please note that sssd only supports referral chasing when it is compiled "
2593
"with OpenLDAP version 2.4.13 or higher."
2596
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2597
#: sssd-ldap.5.xml:1155
2598
msgid "ldap_dns_service_name (string)"
2601
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2602
#: sssd-ldap.5.xml:1158
2603
msgid "Specifies the service name to use when service discovery is enabled."
2606
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2607
#: sssd-ldap.5.xml:1162
2608
msgid "Default: ldap"
2611
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2612
#: sssd-ldap.5.xml:1168
2613
msgid "ldap_chpass_dns_service_name (string)"
2616
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2617
#: sssd-ldap.5.xml:1171
2619
"Specifies the service name to use to find an LDAP server which allows "
2620
"password changes when service discovery is enabled."
2623
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2624
#: sssd-ldap.5.xml:1176
2625
msgid "Default: not set, i.e. service discovery is disabled"
2628
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2629
#: sssd-ldap.5.xml:1182
2630
msgid "ldap_access_filter (string)"
2633
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2634
#: sssd-ldap.5.xml:1185
2636
"If using access_provider = ldap, this option is mandatory. It specifies an "
2637
"LDAP search filter criteria that must be met for the user to be granted "
2638
"access on this host. If access_provider = ldap and this option is not set, "
2639
"it will result in all users being denied access. Use access_provider = allow "
2640
"to change this default behavior."
2643
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2644
#: sssd-ldap.5.xml:1195
2648
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting>
2649
#: sssd-ldap.5.xml:1198
2652
"access_provider = ldap\n"
2653
"ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com\n"
2657
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2658
#: sssd-ldap.5.xml:1202
2660
"This example means that access to this host is restricted to members of the "
2661
"\"allowedusers\" group in ldap."
2664
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2665
#: sssd-ldap.5.xml:1207
2667
"Offline caching for this feature is limited to determining whether the "
2668
"user's last online login was granted access permission. If they were granted "
2669
"access during their last login, they will continue to be granted access "
2670
"while offline and vice-versa."
2673
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2674
#: sssd-ldap.5.xml:1215 sssd-ldap.5.xml:1256
2675
msgid "Default: Empty"
2678
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2679
#: sssd-ldap.5.xml:1221
2680
msgid "ldap_account_expire_policy (string)"
2683
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2684
#: sssd-ldap.5.xml:1224
2686
"With this option a client side evaluation of access control attributes can "
2690
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2691
#: sssd-ldap.5.xml:1228
2693
"Please note that it is always recommended to use server side access control, "
2694
"i.e. the LDAP server should deny the bind request with a suitable error code "
2695
"even if the password is correct."
2698
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2699
#: sssd-ldap.5.xml:1235
2700
msgid "The following values are allowed:"
2703
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2704
#: sssd-ldap.5.xml:1238
2706
"<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to "
2707
"determine if the account is expired."
2710
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2711
#: sssd-ldap.5.xml:1243
2713
"<emphasis>ad</emphasis>: use the value of the 32bit field "
2714
"ldap_user_ad_user_account_control and allow access if the second bit is not "
2715
"set. If the attribute is missing access is granted. Also the expiration time "
2716
"of the account is checked."
2719
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2720
#: sssd-ldap.5.xml:1250
2722
"<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</"
2723
"emphasis>: use the value of ldap_ns_account_lock to check if access is "
2727
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2728
#: sssd-ldap.5.xml:1262
2729
msgid "ldap_access_order (string)"
2732
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2733
#: sssd-ldap.5.xml:1265
2734
msgid "Comma separated list of access control options. Allowed values are:"
2737
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2738
#: sssd-ldap.5.xml:1269
2739
msgid "<emphasis>filter</emphasis>: use ldap_access_filter"
2742
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2743
#: sssd-ldap.5.xml:1272
2744
msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy"
2747
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2748
#: sssd-ldap.5.xml:1276
2750
"<emphasis>authorized_service</emphasis>: use the authorizedService attribute "
2751
"to determine access"
2754
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2755
#: sssd-ldap.5.xml:1281
2756
msgid "Default: filter"
2759
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2760
#: sssd-ldap.5.xml:1284
2762
"Please note that it is a configuration error if a value is used more than "
2766
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2767
#: sssd-ldap.5.xml:1291
2768
msgid "ldap_deref (string)"
2771
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2772
#: sssd-ldap.5.xml:1294
2774
"Specifies how alias dereferencing is done when performing a search. The "
2775
"following options are allowed:"
2778
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2779
#: sssd-ldap.5.xml:1299
2780
msgid "<emphasis>never</emphasis>: Aliases are never dereferenced."
2783
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2784
#: sssd-ldap.5.xml:1303
2786
"<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of "
2787
"the base object, but not in locating the base object of the search."
2790
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2791
#: sssd-ldap.5.xml:1308
2793
"<emphasis>finding</emphasis>: Aliases are only dereferenced when locating "
2794
"the base object of the search."
2797
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2798
#: sssd-ldap.5.xml:1313
2800
"<emphasis>always</emphasis>: Aliases are dereferenced both in searching and "
2801
"in locating the base object of the search."
2804
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2805
#: sssd-ldap.5.xml:1318
2807
"Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP "
2811
#. type: Content of: <reference><refentry><refsect1><para>
2812
#: sssd-ldap.5.xml:51
2814
"All of the common configuration options that apply to SSSD domains also "
2815
"apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section "
2816
"of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
2817
"manvolnum> </citerefentry> manual page for full details. <placeholder type="
2818
"\"variablelist\" id=\"0\"/>"
2821
#. type: Content of: <reference><refentry><refsect1><title>
2822
#: sssd-ldap.5.xml:1330
2823
msgid "ADVANCED OPTIONS"
2826
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2827
#: sssd-ldap.5.xml:1337
2828
msgid "ldap_netgroup_search_base (string)"
2831
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2832
#: sssd-ldap.5.xml:1340
2834
"An optional base DN to restrict netgroup searches to a specific subtree."
2837
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2838
#: sssd-ldap.5.xml:1344 sssd-ldap.5.xml:1358 sssd-ldap.5.xml:1372
2839
msgid "Default: the value of <emphasis>ldap_search_base</emphasis>"
2842
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2843
#: sssd-ldap.5.xml:1351
2844
msgid "ldap_user_search_base (string)"
2847
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2848
#: sssd-ldap.5.xml:1354
2849
msgid "An optional base DN to restrict user searches to a specific subtree."
2852
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
2853
#: sssd-ldap.5.xml:1365
2854
msgid "ldap_group_search_base (string)"
2857
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
2858
#: sssd-ldap.5.xml:1368
2859
msgid "An optional base DN to restrict group searches to a specific subtree."
2862
#. type: Content of: <reference><refentry><refsect1><para>
2863
#: sssd-ldap.5.xml:1332
2865
"These options are supported by LDAP domains, but they should be used with "
2866
"caution. Please include them in your configuration only if you know what you "
2867
"are doing. <placeholder type=\"variablelist\" id=\"0\"/>"
2870
#. type: Content of: <reference><refentry><refsect1><para>
2871
#: sssd-ldap.5.xml:1388
2873
"The following example assumes that SSSD is correctly configured and LDAP is "
2874
"set to one of the domains in the <replaceable>[domains]</replaceable> "
2878
#. type: Content of: <reference><refentry><refsect1><para><programlisting>
2879
#: sssd-ldap.5.xml:1394
2883
" id_provider = ldap\n"
2884
" auth_provider = ldap\n"
2885
" ldap_uri = ldap://ldap.mydomain.org\n"
2886
" ldap_search_base = dc=mydomain,dc=org\n"
2887
" ldap_tls_reqcert = demand\n"
2888
" cache_credentials = true\n"
2889
" enumerate = true\n"
2892
#. type: Content of: <reference><refentry><refsect1><para>
2893
#: sssd-ldap.5.xml:1393 sssd-simple.5.xml:134 sssd-ipa.5.xml:196
2894
#: sssd-krb5.5.xml:414
2895
msgid "<placeholder type=\"programlisting\" id=\"0\"/>"
2898
#. type: Content of: <reference><refentry><refsect1><title>
2899
#: sssd-ldap.5.xml:1407 sssd_krb5_locator_plugin.8.xml:61
2903
#. type: Content of: <reference><refentry><refsect1><para>
2904
#: sssd-ldap.5.xml:1409
2906
"The descriptions of some of the configuration options in this manual page "
2907
"are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> "
2908
"<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 "
2912
#. type: Content of: <reference><refentry><refsect1><para>
2913
#: sssd-ldap.5.xml:1420
2915
"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
2916
"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-krb5</"
2917
"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
2918
"<refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </citerefentry>"
2921
#. type: Content of: <refentryinfo>
2922
#: pam_sss.8.xml:8 include/upstream.xml:2
2924
"<productname>SSSD</productname> <orgname>The SSSD upstream - http://"
2925
"fedorahosted.org/sssd</orgname>"
2928
#. type: Content of: <reference><refentry><refnamediv><refname>
2929
#: pam_sss.8.xml:13 pam_sss.8.xml:18
2933
#. type: Content of: <reference><refentry><refnamediv><refpurpose>
2935
msgid "PAM module for SSSD"
2938
#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
2941
"<command>pam_sss.so</command> <arg choice='opt'> <replaceable>forward_pass</"
2942
"replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</"
2943
"replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</"
2944
"replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </"
2948
#. type: Content of: <reference><refentry><refsect1><para>
2951
"<command>pam_sss.so</command> is the PAM interface to the System Security "
2952
"Services daemon (SSSD). Errors and results are logged through <command>syslog"
2953
"(3)</command> with the LOG_AUTHPRIV facility."
2956
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
2958
msgid "<option>forward_pass</option>"
2961
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
2964
"If <option>forward_pass</option> is set the entered password is put on the "
2965
"stack for other PAM modules to use."
2968
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
2970
msgid "<option>use_first_pass</option>"
2973
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
2976
"The argument use_first_pass forces the module to use a previous stacked "
2977
"modules password and will never prompt the user - if no password is "
2978
"available or the password is not appropriate, the user will be denied access."
2981
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
2983
msgid "<option>use_authtok</option>"
2986
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
2989
"When password changing enforce the module to set the new password to the one "
2990
"provided by a previously stacked password module."
2993
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
2995
msgid "<option>retry=N</option>"
2998
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3001
"If specified the user is asked another N times for a password if "
3002
"authentication fails. Default is 0."
3005
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3008
"Please note that this option might not work as expected if the application "
3009
"calling PAM handles the user dialog on its own. A typical example is "
3010
"<command>sshd</command> with <option>PasswordAuthentication</option>."
3013
#. type: Content of: <reference><refentry><refsect1><title>
3015
msgid "MODULE TYPES PROVIDED"
3018
#. type: Content of: <reference><refentry><refsect1><para>
3019
#: pam_sss.8.xml:100
3021
"All module types (<option>account</option>, <option>auth</option>, "
3022
"<option>password</option> and <option>session</option>) are provided."
3025
#. type: Content of: <reference><refentry><refsect1><title>
3026
#: pam_sss.8.xml:106
3030
#. type: Content of: <reference><refentry><refsect1><para>
3031
#: pam_sss.8.xml:107
3033
"If a password reset by root fails, because the corresponding SSSD provider "
3034
"does not support password resets, an individual message can be displayed. "
3035
"This message can e.g. contain instructions about how to reset a password."
3038
#. type: Content of: <reference><refentry><refsect1><para>
3039
#: pam_sss.8.xml:112
3041
"The message is read from the file <filename>pam_sss_pw_reset_message.LOC</"
3042
"filename> where LOC stands for a locale string returned by <citerefentry> "
3043
"<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </"
3044
"citerefentry>. If there is no matching file the content of "
3045
"<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be "
3046
"the owner of the files and only root may have read and write permissions "
3047
"while all other users must have only read permisssions."
3050
#. type: Content of: <reference><refentry><refsect1><para>
3051
#: pam_sss.8.xml:122
3053
"These files are searched in the directory <filename>/etc/sssd/customize/"
3054
"DOMAIN_NAME/</filename>. If no matching file is present a generic message is "
3058
#. type: Content of: <reference><refentry><refsect1><para>
3059
#: pam_sss.8.xml:130
3061
"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>8</"
3062
"manvolnum> </citerefentry>"
3065
#. type: Content of: <reference><refentry><refnamediv><refname>
3066
#: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15
3067
msgid "sssd_krb5_locator_plugin"
3070
#. type: Content of: <reference><refentry><refsect1><para>
3071
#: sssd_krb5_locator_plugin.8.xml:22
3073
"The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is "
3074
"used by the Kerberos provider of <citerefentry> <refentrytitle>sssd</"
3075
"refentrytitle> <manvolnum>8</manvolnum> </citerefentry> to tell the Kerberos "
3076
"libraries what Realm and which KDC to use. Typically this is done in "
3077
"<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</"
3078
"manvolnum> </citerefentry> which is always read by the Kerberos libraries. "
3079
"To simplyfy the configuration the Realm and the KDC can be defined in "
3080
"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
3081
"manvolnum> </citerefentry> as described in <citerefentry> "
3082
"<refentrytitle>sssd-krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </"
3086
#. type: Content of: <reference><refentry><refsect1><para>
3087
#: sssd_krb5_locator_plugin.8.xml:48
3089
"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
3090
"</citerefentry> puts the Realm and the name or IP address of the KDC into "
3091
"the environment variables SSSD_KRB5_REALM and SSSD_KRB5_KDC respectively. "
3092
"When <command>sssd_krb5_locator_plugin</command> is called by the kerberos "
3093
"libraries it reads and evaluates these variable and returns them to the "
3097
#. type: Content of: <reference><refentry><refsect1><para>
3098
#: sssd_krb5_locator_plugin.8.xml:63
3100
"Not all Kerberos implementations support the use of plugins. If "
3101
"<command>sssd_krb5_locator_plugin</command> is not available on your system "
3102
"you have to edit /etc/krb5.conf to reflect your Kerberos setup."
3105
#. type: Content of: <reference><refentry><refsect1><para>
3106
#: sssd_krb5_locator_plugin.8.xml:69
3108
"If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value "
3109
"debug messages will be sent to stderr."
3112
#. type: Content of: <reference><refentry><refsect1><para>
3113
#: sssd_krb5_locator_plugin.8.xml:77
3115
"<citerefentry> <refentrytitle>sssd-krb5</refentrytitle><manvolnum>5</"
3116
"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd.conf</"
3117
"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
3118
"<refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </citerefentry>"
3121
#. type: Content of: <reference><refentry><refnamediv><refname>
3122
#: sssd-simple.5.xml:10 sssd-simple.5.xml:16
3126
#. type: Content of: <reference><refentry><refnamediv><refpurpose>
3127
#: sssd-simple.5.xml:17
3128
msgid "the configuration file for SSSD's 'simple' access-control provider"
3131
#. type: Content of: <reference><refentry><refsect1><para>
3132
#: sssd-simple.5.xml:24
3134
"This manual page describes the configuration of the simple access-control "
3135
"provider for <citerefentry> <refentrytitle>sssd</refentrytitle> "
3136
"<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, "
3137
"refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> "
3138
"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
3139
"citerefentry> manual page."
3142
#. type: Content of: <reference><refentry><refsect1><para>
3143
#: sssd-simple.5.xml:38
3145
"The simple access provider grants or denies access based on an access or "
3146
"deny list of user or group names. The following rules apply:"
3149
#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
3150
#: sssd-simple.5.xml:43
3151
msgid "If all lists are empty, access is granted"
3154
#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
3155
#: sssd-simple.5.xml:47
3157
"If any list is provided, the order of evaluation is allow,deny. This means "
3158
"that any matching deny rule will supersede any matched allow rule."
3161
#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
3162
#: sssd-simple.5.xml:54
3164
"If either or both \"allow\" lists are provided, all users are denied unless "
3165
"they appear in the list."
3168
#. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para>
3169
#: sssd-simple.5.xml:60
3171
"If only \"deny\" lists are provided, all users are granted access unless "
3172
"they appear in the list."
3175
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
3176
#: sssd-simple.5.xml:78
3177
msgid "simple_allow_users (string)"
3180
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3181
#: sssd-simple.5.xml:81
3182
msgid "Comma separated list of users who are allowed to log in."
3185
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
3186
#: sssd-simple.5.xml:88
3187
msgid "simple_deny_users (string)"
3190
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3191
#: sssd-simple.5.xml:91
3192
msgid "Comma separated list of users who are explicitly denied access."
3195
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
3196
#: sssd-simple.5.xml:97
3197
msgid "simple_allow_groups (string)"
3200
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3201
#: sssd-simple.5.xml:100
3203
"Comma separated list of groups that are allowed to log in. This applies only "
3204
"to groups within this SSSD domain. Local groups are not evaluated."
3207
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
3208
#: sssd-simple.5.xml:108
3209
msgid "simple_deny_groups (string)"
3212
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3213
#: sssd-simple.5.xml:111
3215
"Comma separated list of groups that are explicitly denied access. This "
3216
"applies only to groups within this SSSD domain. Local groups are not "
3220
#. type: Content of: <reference><refentry><refsect1><para>
3221
#: sssd-simple.5.xml:70 sssd-ipa.5.xml:62
3223
"Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> "
3224
"<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </"
3225
"citerefentry> manual page for details on the configuration of an SSSD "
3226
"domain. <placeholder type=\"variablelist\" id=\"0\"/>"
3229
#. type: Content of: <reference><refentry><refsect1><para>
3230
#: sssd-simple.5.xml:120
3232
"Please note that it is an configuration error if both, simple_allow_users "
3233
"and simple_deny_users, are defined."
3236
#. type: Content of: <reference><refentry><refsect1><para>
3237
#: sssd-simple.5.xml:128
3239
"The following example assumes that SSSD is correctly configured and example."
3240
"com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
3241
"This examples shows only the simple access provider-specific options."
3244
#. type: Content of: <reference><refentry><refsect1><para><programlisting>
3245
#: sssd-simple.5.xml:135
3248
" [domain/example.com]\n"
3249
" access_provider = simple\n"
3250
" simple_allow_users = user1, user2\n"
3253
#. type: Content of: <reference><refentry><refsect1><para>
3254
#: sssd-simple.5.xml:145
3256
"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
3257
"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd</"
3258
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>"
3261
#. type: Content of: <reference><refentry><refnamediv><refname>
3262
#: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16
3266
#. type: Content of: <reference><refentry><refsect1><para>
3267
#: sssd-ipa.5.xml:23
3269
"This manual page describes the configuration of the IPA provider for "
3270
"<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> "
3271
"</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE "
3272
"FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</"
3273
"refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page."
3276
#. type: Content of: <reference><refentry><refsect1><para>
3277
#: sssd-ipa.5.xml:36
3279
"The IPA provider is a back end used to connect to an IPA server. (Refer to "
3280
"the freeipa.org web site for information about IPA servers.) This provider "
3281
"requires that the machine be joined to the IPA domain; configuration is "
3282
"almost entirely self-discovered and obtained directly from the server."
3285
#. type: Content of: <reference><refentry><refsect1><para>
3286
#: sssd-ipa.5.xml:43
3288
"The IPA provider accepts the same options used by the <citerefentry> "
3289
"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
3290
"citerefentry> identity provider and the <citerefentry> <refentrytitle>sssd-"
3291
"krb5</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> authentication "
3292
"provider. However, it is neither necessary nor recommended to set these "
3293
"options. IPA provider can also be used as an access and chpass provider. As "
3294
"an access provider it uses HBAC (host-based access control) rules. Please "
3295
"refer to freeipa.org for more information about HBAC. No configuration of "
3296
"access provider is required on the client side."
3299
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
3300
#: sssd-ipa.5.xml:69
3301
msgid "ipa_domain (string)"
3304
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3305
#: sssd-ipa.5.xml:72
3307
"Specifies the name of the IPA domain. This is optional. If not provided, "
3308
"the configuration domain name is used."
3311
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
3312
#: sssd-ipa.5.xml:80
3313
msgid "ipa_server (string)"
3316
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3317
#: sssd-ipa.5.xml:83
3319
"The list of IP addresses or hostnames of the IPA servers to which SSSD "
3320
"should connect in the order of preference. For more information on failover "
3321
"and server redundancy, see the <quote>FAILOVER</quote> section. This is "
3322
"optional if autodiscovery is enabled. For more information on service "
3323
"discovery, refer to the the <quote>SERVICE DISCOVERY</quote> section."
3326
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
3327
#: sssd-ipa.5.xml:96
3328
msgid "ipa_hostname (string)"
3331
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3332
#: sssd-ipa.5.xml:99
3334
"Optional. May be set on machines where the hostname(5) does not reflect the "
3335
"fully qualified name used in the IPA domain to identify this host."
3338
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
3339
#: sssd-ipa.5.xml:107
3340
msgid "ipa_dyndns_update (boolean)"
3343
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3344
#: sssd-ipa.5.xml:110
3346
"Optional. This option tells SSSD to automatically update the DNS server "
3347
"built into FreeIPA v2 with the IP address of this client."
3350
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
3351
#: sssd-ipa.5.xml:121
3352
msgid "ipa_dyndns_iface (string)"
3355
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3356
#: sssd-ipa.5.xml:124
3358
"Optional. Applicable only when ipa_dyndns_update is true. Choose the "
3359
"interface whose IP address should be used for dynamic DNS updates."
3362
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3363
#: sssd-ipa.5.xml:129
3364
msgid "Default: Use the IP address of the IPA LDAP connection"
3367
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
3368
#: sssd-ipa.5.xml:135
3369
msgid "ipa_hbac_search_base (string)"
3372
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3373
#: sssd-ipa.5.xml:138
3374
msgid "Optional. Use the given string as search base for HBAC related objects."
3377
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3378
#: sssd-ipa.5.xml:142
3379
msgid "Default: Use base DN"
3382
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
3383
#: sssd-ipa.5.xml:148 sssd-krb5.5.xml:229
3384
msgid "krb5_validate (boolean)"
3387
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3388
#: sssd-ipa.5.xml:151 sssd-krb5.5.xml:232
3390
"Verify with the help of krb5_keytab that the TGT obtained has not been "
3394
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3395
#: sssd-ipa.5.xml:158
3397
"Note that this default differs from the traditional Kerberos provider back "
3401
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3402
#: sssd-ipa.5.xml:168
3404
"The name of the Kerberos realm. This is optional and defaults to the value "
3405
"of <quote>ipa_domain</quote>."
3408
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3409
#: sssd-ipa.5.xml:172
3411
"The name of the Kerberos realm has a special meaning in IPA - it is "
3412
"converted into the base DN to use for performing LDAP operations."
3415
#. type: Content of: <reference><refentry><refsect1><para>
3416
#: sssd-ipa.5.xml:190
3418
"The following example assumes that SSSD is correctly configured and example."
3419
"com is one of the domains in the <replaceable>[sssd]</replaceable> section. "
3420
"This examples shows only the ipa provider-specific options."
3423
#. type: Content of: <reference><refentry><refsect1><para><programlisting>
3424
#: sssd-ipa.5.xml:197
3427
" [domain/example.com]\n"
3428
" id_provider = ipa\n"
3429
" ipa_server = ipaserver.example.com\n"
3430
" ipa_hostname = myhost.example.com\n"
3433
#. type: Content of: <reference><refentry><refsect1><para>
3434
#: sssd-ipa.5.xml:208
3436
"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
3437
"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
3438
"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
3439
"<refentrytitle>sssd-krb5</refentrytitle><manvolnum>5</manvolnum> </"
3440
"citerefentry>, <citerefentry> <refentrytitle>sssd</"
3441
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>"
3444
#. type: Content of: <reference><refentry><refnamediv><refname>
3445
#: sssd.8.xml:10 sssd.8.xml:15
3449
#. type: Content of: <reference><refentry><refnamediv><refpurpose>
3451
msgid "System Security Services Daemon"
3454
#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
3457
"<command>sssd</command> <arg choice='opt'> <replaceable>options</"
3458
"replaceable> </arg>"
3461
#. type: Content of: <reference><refentry><refsect1><para>
3464
"<command>SSSD</command> provides a set of daemons to manage access to remote "
3465
"directories and authentication mechanisms. It provides an NSS and PAM "
3466
"interface toward the system and a pluggable backend system to connect to "
3467
"multiple different account sources as well as D-Bus interface. It is also "
3468
"the basis to provide client auditing and policy services for projects like "
3469
"FreeIPA. It provides a more robust database to store local users as well as "
3470
"extended user data."
3473
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3476
"<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</"
3480
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3483
"Debug level to run the daemon with. 0 is the default as well as the lowest "
3484
"allowed value, 10 is the most verbose mode. This setting overrides the "
3485
"settings from config file. This parameter implies <option>-i</option>."
3488
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3490
msgid "<option>-f</option>,<option>--debug-to-files</option>"
3493
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3496
"Send the debug output to files instead of stderr. By default, the log files "
3497
"are stored in <filename>/var/log/sssd</filename> and there are separate log "
3498
"files for every SSSD service and domain."
3501
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3503
msgid "<option>-D</option>,<option>--daemon</option>"
3506
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3508
msgid "Become a daemon after starting up."
3511
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3513
msgid "<option>-i</option>,<option>--interactive</option>"
3516
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3518
msgid "Run in the foreground, don't become a daemon."
3521
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3523
msgid "<option>-c</option>,<option>--config</option>"
3526
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3529
"Specify a non-default config file. The default is <filename>/etc/sssd/sssd."
3530
"conf</filename>. For reference on the config file syntax and options, "
3531
"consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> "
3532
"<manvolnum>5</manvolnum> </citerefentry> manual page."
3535
#. type: Content of: <reference><refentry><refsect1><title>
3540
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3542
msgid "SIGTERM/SIGINT"
3545
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3548
"Informs the SSSD to gracefully terminate all of its child processes and then "
3549
"shut down the monitor."
3552
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3557
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3560
"Tells the SSSD to stop writing to its current debug file descriptors and to "
3561
"close and reopen them. This is meant to facilitate log rolling with programs "
3565
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3570
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3573
"Tells the SSSD to simulate offline operation for one minute. This is mostly "
3574
"useful for testing purposes."
3577
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3582
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3585
"Tells the SSSD to go online immediately. This is mostly useful for testing "
3589
#. type: Content of: <reference><refentry><refsect1><para>
3592
"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
3593
"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupadd</"
3594
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
3595
"<refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</manvolnum> </"
3596
"citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</"
3597
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
3598
"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </"
3599
"citerefentry>, <citerefentry> <refentrytitle>sss_userdel</"
3600
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
3601
"<refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum> </"
3605
#. type: Content of: <reference><refentry><refnamediv><refname>
3606
#: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15
3607
msgid "sss_obfuscate"
3610
#. type: Content of: <reference><refentry><refnamediv><refpurpose>
3611
#: sss_obfuscate.8.xml:16
3612
msgid "obfuscate a clear text password"
3615
#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
3616
#: sss_obfuscate.8.xml:21
3618
"<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</"
3619
"replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</"
3620
"replaceable></arg>"
3623
#. type: Content of: <reference><refentry><refsect1><para>
3624
#: sss_obfuscate.8.xml:32
3626
"<command>sss_obfuscate</command> converts a given password into human-"
3627
"unreadable format and places it into appropriate domain section of the SSSD "
3631
#. type: Content of: <reference><refentry><refsect1><para>
3632
#: sss_obfuscate.8.xml:37
3634
"The cleartext password is read from standard input or entered "
3635
"interactively. The obfuscated password is put into "
3636
"<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the "
3637
"<quote>ldap_default_authtok_type</quote> parameter is set to "
3638
"<quote>obfuscated_password</quote>. Refer to <citerefentry> "
3639
"<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </"
3640
"citerefentry> for more details on these parameters."
3643
#. type: Content of: <reference><refentry><refsect1><para>
3644
#: sss_obfuscate.8.xml:49
3646
"Please note that obfuscating the password provides <emphasis>no real "
3647
"security benefit</emphasis> as it is still possible for an attacker to "
3648
"reverse-engineer the password back. Using better authentication mechanisms "
3649
"such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> "
3653
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3654
#: sss_obfuscate.8.xml:63
3655
msgid "<option>-s</option>,<option>--stdin</option>"
3658
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3659
#: sss_obfuscate.8.xml:67
3660
msgid "The password to obfuscate will be read from standard input."
3663
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3664
#: sss_obfuscate.8.xml:74
3666
"<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</"
3670
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3671
#: sss_obfuscate.8.xml:79
3673
"The SSSD domain to use the password in. The default name is <quote>default</"
3677
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3678
#: sss_obfuscate.8.xml:86
3680
"<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>"
3683
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3684
#: sss_obfuscate.8.xml:91
3685
msgid "Read the config file specified by the positional parameter."
3688
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3689
#: sss_obfuscate.8.xml:95
3690
msgid "Default: <filename>/etc/sssd/sssd.conf</filename>"
3693
#. type: Content of: <reference><refentry><refsect1><para>
3694
#: sss_obfuscate.8.xml:105
3696
"<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</"
3697
"manvolnum> </citerefentry>"
3700
#. type: Content of: <reference><refentry><refnamediv><refname>
3701
#: sss_useradd.8.xml:10 sss_useradd.8.xml:15
3705
#. type: Content of: <reference><refentry><refnamediv><refpurpose>
3706
#: sss_useradd.8.xml:16
3707
msgid "create a new user"
3710
#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
3711
#: sss_useradd.8.xml:21
3713
"<command>sss_useradd</command> <arg choice='opt'> <replaceable>options</"
3714
"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></"
3718
#. type: Content of: <reference><refentry><refsect1><para>
3719
#: sss_useradd.8.xml:32
3721
"<command>sss_useradd</command> creates a new user account using the values "
3722
"specified on the command line plus the default values from the system."
3725
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3726
#: sss_useradd.8.xml:43
3728
"<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>"
3731
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3732
#: sss_useradd.8.xml:48
3734
"Set the UID of the user to the value of <replaceable>UID</replaceable>. If "
3735
"not given, it is chosen automatically."
3738
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3739
#: sss_useradd.8.xml:55 sss_usermod.8.xml:43
3741
"<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</"
3745
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3746
#: sss_useradd.8.xml:60 sss_usermod.8.xml:48
3748
"Any text string describing the user. Often used as the field for the user's "
3752
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3753
#: sss_useradd.8.xml:67 sss_usermod.8.xml:55
3755
"<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</"
3759
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3760
#: sss_useradd.8.xml:72
3762
"The home directory of the user account. The default is to append the "
3763
"<replaceable>LOGIN</replaceable> name to <filename>/home</filename> and use "
3764
"that as the home directory. The base that is prepended before "
3765
"<replaceable>LOGIN</replaceable> is tunable with <quote>user_defaults/"
3766
"baseDirectory</quote> setting in sssd.conf."
3769
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3770
#: sss_useradd.8.xml:82 sss_usermod.8.xml:66
3772
"<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>"
3775
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3776
#: sss_useradd.8.xml:87
3778
"The user's login shell. The default is currently <filename>/bin/bash</"
3779
"filename>. The default can be changed with <quote>user_defaults/"
3780
"defaultShell</quote> setting in sssd.conf."
3783
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3784
#: sss_useradd.8.xml:96
3786
"<option>-G</option>,<option>--groups</option> <replaceable>GROUPS</"
3790
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3791
#: sss_useradd.8.xml:101
3792
msgid "A list of existing groups this user is also a member of."
3795
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3796
#: sss_useradd.8.xml:107
3797
msgid "<option>-m</option>,<option>--create-home</option>"
3800
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3801
#: sss_useradd.8.xml:111
3803
"Create the user's home directory if it does not exist. The files and "
3804
"directories contained in the skeleton directory (which can be defined with "
3805
"the -k option or in the config file) will be copied to the home directory."
3808
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3809
#: sss_useradd.8.xml:121
3810
msgid "<option>-M</option>,<option>--no-create-home</option>"
3813
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3814
#: sss_useradd.8.xml:125
3816
"Do not create the user's home directory. Overrides configuration settings."
3819
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3820
#: sss_useradd.8.xml:132
3822
"<option>-k</option>,<option>--skel</option> <replaceable>SKELDIR</"
3826
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3827
#: sss_useradd.8.xml:137
3829
"The skeleton directory, which contains files and directories to be copied in "
3830
"the user's home directory, when the home directory is created by "
3831
"<command>sss_useradd</command>."
3834
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3835
#: sss_useradd.8.xml:143
3837
"This option is only valid if the <option>-m</option> (or <option>--create-"
3838
"home</option>) option is specified, or creation of home directories is set "
3839
"to TRUE in the configuration."
3842
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
3843
#: sss_useradd.8.xml:152 sss_usermod.8.xml:124
3845
"<option>-Z</option>,<option>--selinux-user</option> "
3846
"<replaceable>SELINUX_USER</replaceable>"
3849
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
3850
#: sss_useradd.8.xml:157
3852
"The SELinux user for the user's login. If not specified, the system default "
3856
#. type: Content of: <reference><refentry><refsect1><para>
3857
#: sss_useradd.8.xml:169
3859
"<citerefentry> <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</"
3860
"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</"
3861
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
3862
"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </"
3863
"citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</"
3864
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
3865
"<refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> </"
3866
"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
3867
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
3870
#. type: Content of: <reference><refentry><refnamediv><refname>
3871
#: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16
3875
#. type: Content of: <reference><refentry><refsect1><para>
3876
#: sssd-krb5.5.xml:23
3878
"This manual page describes the configuration of the Kerberos 5 "
3879
"authentication backend for <citerefentry> <refentrytitle>sssd</"
3880
"refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed "
3881
"syntax reference, please refer to the <quote>FILE FORMAT</quote> section of "
3882
"the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
3883
"manvolnum> </citerefentry> manual page"
3886
#. type: Content of: <reference><refentry><refsect1><para>
3887
#: sssd-krb5.5.xml:36
3889
"The Kerberos 5 authentication backend contains auth and chpass providers. It "
3890
"must be paired with identity provider in order to function properly (for "
3891
"example, id_provider = ldap). Some information required by the Kerberos 5 "
3892
"authentication backend must be provided by the identity provider, such as "
3893
"the user's Kerberos Principal Name (UPN). The configuration of the identity "
3894
"provider should have an entry to specify the UPN. Please refer to the man "
3895
"page for the applicable identity provider for details on how to configure "
3899
#. type: Content of: <reference><refentry><refsect1><para>
3900
#: sssd-krb5.5.xml:47
3902
"This backend also provides access control based on the .k5login file in the "
3903
"home directory of the user. See <citerefentry> <refentrytitle>.k5login</"
3904
"refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. "
3905
"Please note that an empty .k5login file will deny all access to this user. "
3906
"To activate this feature use 'access_provider = krb5' in your sssd "
3910
#. type: Content of: <reference><refentry><refsect1><para>
3911
#: sssd-krb5.5.xml:55
3913
"In the case where the UPN is not available in the identity backend "
3914
"<command>sssd</command> will construct a UPN using the format "
3915
"<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>."
3918
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3919
#: sssd-krb5.5.xml:106
3921
"The name of the Kerberos realm. This option is required and must be "
3925
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
3926
#: sssd-krb5.5.xml:113
3927
msgid "krb5_kpasswd (string)"
3930
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3931
#: sssd-krb5.5.xml:116
3933
"If the change password service is not running on the KDC alternative servers "
3934
"can be defined here. An optional port number (preceded by a colon) may be "
3935
"appended to the addresses or hostnames."
3938
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3939
#: sssd-krb5.5.xml:122
3941
"For more information on failover and server redundancy, see the "
3942
"<quote>FAILOVER</quote> section. Please note that even if there are no more "
3943
"kpasswd servers to try the back end is not switch to offline if "
3944
"authentication against the KDC is still possible."
3947
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3948
#: sssd-krb5.5.xml:129
3949
msgid "Default: Use the KDC"
3952
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
3953
#: sssd-krb5.5.xml:135
3954
msgid "krb5_ccachedir (string)"
3957
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3958
#: sssd-krb5.5.xml:138
3960
"Directory to store credential caches. All the substitution sequences of "
3961
"krb5_ccname_template can be used here, too, except %d and %P. If the "
3962
"directory does not exist it will be created. If %u, %U, %p or %h are used a "
3963
"private directory belonging to the user is created. Otherwise a public "
3964
"directory with restricted deletion flag (aka sticky bit, see <citerefentry> "
3965
"<refentrytitle>chmod</refentrytitle> <manvolnum>1</manvolnum> </"
3966
"citerefentry> for details) is created."
3969
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
3970
#: sssd-krb5.5.xml:151
3971
msgid "Default: /tmp"
3974
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
3975
#: sssd-krb5.5.xml:157
3976
msgid "krb5_ccname_template (string)"
3979
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
3980
#: sssd-krb5.5.xml:166
3984
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
3985
#: sssd-krb5.5.xml:167
3989
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
3990
#: sssd-krb5.5.xml:170
3994
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
3995
#: sssd-krb5.5.xml:171
3999
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
4000
#: sssd-krb5.5.xml:174
4004
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
4005
#: sssd-krb5.5.xml:175
4006
msgid "principal name"
4009
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
4010
#: sssd-krb5.5.xml:179
4014
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
4015
#: sssd-krb5.5.xml:180
4019
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
4020
#: sssd-krb5.5.xml:183
4024
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
4025
#: sssd-krb5.5.xml:184
4026
msgid "home directory"
4029
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
4030
#: sssd-krb5.5.xml:188
4034
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
4035
#: sssd-krb5.5.xml:189
4036
msgid "value of krb5ccache_dir"
4039
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
4040
#: sssd-krb5.5.xml:194
4044
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
4045
#: sssd-krb5.5.xml:195
4046
msgid "the process ID of the sssd client"
4049
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term>
4050
#: sssd-krb5.5.xml:200
4054
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para>
4055
#: sssd-krb5.5.xml:201
4056
msgid "a literal '%'"
4059
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4060
#: sssd-krb5.5.xml:160
4062
"Location of the user's credential cache. Currently only file based "
4063
"credential caches are supported. In the template the following sequences are "
4064
"substituted: <placeholder type=\"variablelist\" id=\"0\"/> If the template "
4065
"ends with 'XXXXXX' mkstemp(3) is used to create a unique filename in a safe "
4069
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4070
#: sssd-krb5.5.xml:209
4071
msgid "Default: FILE:%d/krb5cc_%U_XXXXXX"
4074
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
4075
#: sssd-krb5.5.xml:215
4076
msgid "krb5_auth_timeout (integer)"
4079
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4080
#: sssd-krb5.5.xml:218
4082
"Timeout in seconds after an online authentication or change password request "
4083
"is aborted. If possible the authentication request is continued offline."
4086
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
4087
#: sssd-krb5.5.xml:241
4088
msgid "krb5_keytab (string)"
4091
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4092
#: sssd-krb5.5.xml:244
4094
"The location of the keytab to use when validating credentials obtained from "
4098
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4099
#: sssd-krb5.5.xml:248
4100
msgid "Default: /etc/krb5.keytab"
4103
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
4104
#: sssd-krb5.5.xml:254
4105
msgid "krb5_store_password_if_offline (boolean)"
4108
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4109
#: sssd-krb5.5.xml:257
4111
"Store the password of the user if the provider is offline and use it to "
4112
"request a TGT when the provider gets online again."
4115
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4116
#: sssd-krb5.5.xml:262
4118
"Please note that this feature currently only available on a Linux platform."
4121
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
4122
#: sssd-krb5.5.xml:272
4123
msgid "krb5_renewable_lifetime (string)"
4126
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4127
#: sssd-krb5.5.xml:275
4129
"Request a renewable ticket with a total lifetime given by an integer "
4130
"immediately followed by one of the following delimiters:"
4133
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4134
#: sssd-krb5.5.xml:280 sssd-krb5.5.xml:316
4135
msgid "<emphasis>s</emphasis> seconds"
4138
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4139
#: sssd-krb5.5.xml:283 sssd-krb5.5.xml:319
4140
msgid "<emphasis>m</emphasis> minutes"
4143
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4144
#: sssd-krb5.5.xml:286 sssd-krb5.5.xml:322
4145
msgid "<emphasis>h</emphasis> hours"
4148
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4149
#: sssd-krb5.5.xml:289 sssd-krb5.5.xml:325
4150
msgid "<emphasis>d</emphasis> days."
4153
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4154
#: sssd-krb5.5.xml:292 sssd-krb5.5.xml:328
4155
msgid "If there is no delimiter <emphasis>s</emphasis> is assumed."
4158
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4159
#: sssd-krb5.5.xml:296
4161
"Please note that it is not possible to mix units. If you want to set the "
4162
"renewable lifetime to one and a half hours please use '90m' instead of "
4166
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4167
#: sssd-krb5.5.xml:302
4168
msgid "Default: not set, i.e. the TGT is not renewable"
4171
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
4172
#: sssd-krb5.5.xml:308
4173
msgid "krb5_lifetime (string)"
4176
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4177
#: sssd-krb5.5.xml:311
4179
"Request ticket with a with a lifetime given by an integer immediately "
4180
"followed by one of the following delimiters:"
4183
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4184
#: sssd-krb5.5.xml:332
4186
"Please note that it is not possible to mix units. If you want to set the "
4187
"lifetime to one and a half hours please use '90m' instead of '1h30m'."
4190
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4191
#: sssd-krb5.5.xml:337
4193
"Default: not set, i.e. the default ticket lifetime configured on the KDC."
4196
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
4197
#: sssd-krb5.5.xml:344
4198
msgid "krb5_renew_interval (integer)"
4201
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4202
#: sssd-krb5.5.xml:347
4204
"The time in seconds between two checks if the TGT should be renewed. TGTs "
4205
"are renewed if about half of their lifetime is exceeded."
4208
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4209
#: sssd-krb5.5.xml:352
4210
msgid "If this option is not set or 0 the automatic renewal is disabled."
4213
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term>
4214
#: sssd-krb5.5.xml:362
4215
msgid "krb5_use_fast (string)"
4218
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4219
#: sssd-krb5.5.xml:365
4221
"Enables flexible authentication secure tunneling (FAST) for Kerberos pre-"
4222
"authentication. The following options are supported:"
4225
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4226
#: sssd-krb5.5.xml:370
4228
"<emphasis>never</emphasis> use FAST, this is equivalent to not set this "
4232
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4233
#: sssd-krb5.5.xml:374
4235
"<emphasis>try</emphasis> to use FAST, if the server does not support fast "
4239
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4240
#: sssd-krb5.5.xml:378
4242
"<emphasis>demand</emphasis> to use FAST, fail if the server does not require "
4246
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4247
#: sssd-krb5.5.xml:382
4248
msgid "Default: not set, i.e. FAST is not used."
4251
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4252
#: sssd-krb5.5.xml:385
4253
msgid "Please note that a keytab is required to use fast."
4256
#. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para>
4257
#: sssd-krb5.5.xml:388
4259
"Please note also that sssd supports fast only with MIT Kerberos version 1.8 "
4260
"and above. If sssd used used with an older version using this option is a "
4261
"configuration error."
4264
#. type: Content of: <reference><refentry><refsect1><para>
4265
#: sssd-krb5.5.xml:65
4267
"If the auth-module krb5 is used in a SSSD domain, the following options must "
4268
"be used. See the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> "
4269
"<manvolnum>5</manvolnum> </citerefentry> manual page, section <quote>DOMAIN "
4270
"SECTIONS</quote> for details on the configuration of a SSSD domain. "
4271
"<placeholder type=\"variablelist\" id=\"0\"/>"
4274
#. type: Content of: <reference><refentry><refsect1><para>
4275
#: sssd-krb5.5.xml:407
4277
"The following example assumes that SSSD is correctly configured and FOO is "
4278
"one of the domains in the <replaceable>[sssd]</replaceable> section. This "
4279
"example shows only configuration of Kerberos authentication, it does not "
4280
"include any identity provider."
4283
#. type: Content of: <reference><refentry><refsect1><para><programlisting>
4284
#: sssd-krb5.5.xml:415
4288
" auth_provider = krb5\n"
4289
" krb5_server = 192.168.1.1\n"
4290
" krb5_realm = EXAMPLE.COM\n"
4293
#. type: Content of: <reference><refentry><refsect1><para>
4294
#: sssd-krb5.5.xml:426
4296
"<citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</"
4297
"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sssd-ldap</"
4298
"refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> "
4299
"<refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </citerefentry>"
4302
#. type: Content of: <reference><refentry><refnamediv><refname>
4303
#: sss_groupadd.8.xml:10 sss_groupadd.8.xml:15
4304
msgid "sss_groupadd"
4307
#. type: Content of: <reference><refentry><refnamediv><refpurpose>
4308
#: sss_groupadd.8.xml:16
4309
msgid "create a new group"
4312
#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
4313
#: sss_groupadd.8.xml:21
4315
"<command>sss_groupadd</command> <arg choice='opt'> <replaceable>options</"
4316
"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></"
4320
#. type: Content of: <reference><refentry><refsect1><para>
4321
#: sss_groupadd.8.xml:32
4323
"<command>sss_groupadd</command> creates a new group. These groups are "
4324
"compatible with POSIX groups, with the additional feature that they can "
4325
"contain other groups as members."
4328
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
4329
#: sss_groupadd.8.xml:43
4331
"<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>"
4334
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
4335
#: sss_groupadd.8.xml:48
4337
"Set the GID of the group to the value of <replaceable>GID</replaceable>. If "
4338
"not given, it is chosen automatically."
4341
#. type: Content of: <reference><refentry><refsect1><para>
4342
#: sss_groupadd.8.xml:60
4344
"<citerefentry> <refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</"
4345
"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</"
4346
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
4347
"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </"
4348
"citerefentry>, <citerefentry> <refentrytitle>sss_useradd</"
4349
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
4350
"<refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> </"
4351
"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
4352
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
4355
#. type: Content of: <reference><refentry><refnamediv><refname>
4356
#: sss_userdel.8.xml:10 sss_userdel.8.xml:15
4360
#. type: Content of: <reference><refentry><refnamediv><refpurpose>
4361
#: sss_userdel.8.xml:16
4362
msgid "delete a user account"
4365
#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
4366
#: sss_userdel.8.xml:21
4368
"<command>sss_userdel</command> <arg choice='opt'> <replaceable>options</"
4369
"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></"
4373
#. type: Content of: <reference><refentry><refsect1><para>
4374
#: sss_userdel.8.xml:32
4376
"<command>sss_userdel</command> deletes a user identified by login name "
4377
"<replaceable>LOGIN</replaceable> from the system."
4380
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
4381
#: sss_userdel.8.xml:44
4382
msgid "<option>-r</option>,<option>--remove</option>"
4385
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
4386
#: sss_userdel.8.xml:48
4388
"Files in the user's home directory will be removed along with the home "
4389
"directory itself and the user's mail spool. Overrides the configuration."
4392
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
4393
#: sss_userdel.8.xml:56
4394
msgid "<option>-R</option>,<option>--no-remove</option>"
4397
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
4398
#: sss_userdel.8.xml:60
4400
"Files in the user's home directory will NOT be removed along with the home "
4401
"directory itself and the user's mail spool. Overrides the configuration."
4404
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
4405
#: sss_userdel.8.xml:68
4406
msgid "<option>-f</option>,<option>--force</option>"
4409
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
4410
#: sss_userdel.8.xml:72
4412
"This option forces <command>sss_userdel</command> to remove the user's home "
4413
"directory and mail spool, even if they are not owned by the specified user."
4416
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
4417
#: sss_userdel.8.xml:80
4418
msgid "<option>-k</option>,<option>--kick</option>"
4421
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
4422
#: sss_userdel.8.xml:84
4423
msgid "Before actually deleting the user, terminate all his processes."
4426
#. type: Content of: <reference><refentry><refsect1><para>
4427
#: sss_userdel.8.xml:95
4429
"<citerefentry> <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</"
4430
"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</"
4431
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
4432
"<refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum> </"
4433
"citerefentry>, <citerefentry> <refentrytitle>sss_groupshow</"
4434
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
4435
"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </"
4436
"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
4437
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
4440
#. type: Content of: <reference><refentry><refnamediv><refname>
4441
#: sss_groupdel.8.xml:10 sss_groupdel.8.xml:15
4442
msgid "sss_groupdel"
4445
#. type: Content of: <reference><refentry><refnamediv><refpurpose>
4446
#: sss_groupdel.8.xml:16
4447
msgid "delete a group"
4450
#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
4451
#: sss_groupdel.8.xml:21
4453
"<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</"
4454
"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></"
4458
#. type: Content of: <reference><refentry><refsect1><para>
4459
#: sss_groupdel.8.xml:32
4461
"<command>sss_groupdel</command> deletes a group identified by its name "
4462
"<replaceable>GROUP</replaceable> from the system."
4465
#. type: Content of: <reference><refentry><refsect1><para>
4466
#: sss_groupdel.8.xml:48
4468
"<citerefentry> <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</"
4469
"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</"
4470
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
4471
"<refentrytitle>sss_groupshow</refentrytitle><manvolnum>8</manvolnum> </"
4472
"citerefentry>, <citerefentry> <refentrytitle>sss_useradd</"
4473
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
4474
"<refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum> </"
4475
"citerefentry>, <citerefentry> <refentrytitle>sss_usermod</"
4476
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
4479
#. type: Content of: <reference><refentry><refnamediv><refname>
4480
#: sss_groupshow.8.xml:10 sss_groupshow.8.xml:15
4481
msgid "sss_groupshow"
4484
#. type: Content of: <reference><refentry><refnamediv><refpurpose>
4485
#: sss_groupshow.8.xml:16
4486
msgid "print properties of a group"
4489
#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
4490
#: sss_groupshow.8.xml:21
4492
"<command>sss_groupshow</command> <arg choice='opt'> <replaceable>options</"
4493
"replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></"
4497
#. type: Content of: <reference><refentry><refsect1><para>
4498
#: sss_groupshow.8.xml:32
4500
"<command>sss_groupshow</command> displays information about a group "
4501
"identified by its name <replaceable>GROUP</replaceable>. The information "
4502
"includes the group ID number, members of the group and the parent group."
4505
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
4506
#: sss_groupshow.8.xml:43
4507
msgid "<option>-R</option>,<option>--recursive</option>"
4510
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
4511
#: sss_groupshow.8.xml:47
4513
"Also print indirect group members in a tree-like hierarchy. Note that this "
4514
"also affects printing parent groups - without <option>R</option>, only the "
4515
"direct parent will be printed."
4518
#. type: Content of: <reference><refentry><refsect1><para>
4519
#: sss_groupshow.8.xml:60
4521
"<citerefentry> <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</"
4522
"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupmod</"
4523
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
4524
"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </"
4525
"citerefentry>, <citerefentry> <refentrytitle>sss_userdel</"
4526
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
4527
"<refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum> </"
4531
#. type: Content of: <reference><refentry><refnamediv><refname>
4532
#: sss_usermod.8.xml:10 sss_usermod.8.xml:15
4536
#. type: Content of: <reference><refentry><refnamediv><refpurpose>
4537
#: sss_usermod.8.xml:16
4538
msgid "modify a user account"
4541
#. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis>
4542
#: sss_usermod.8.xml:21
4544
"<command>sss_usermod</command> <arg choice='opt'> <replaceable>options</"
4545
"replaceable> </arg> <arg choice='plain'><replaceable>LOGIN</replaceable></"
4549
#. type: Content of: <reference><refentry><refsect1><para>
4550
#: sss_usermod.8.xml:32
4552
"<command>sss_usermod</command> modifies the account specified by "
4553
"<replaceable>LOGIN</replaceable> to reflect the changes that are specified "
4554
"on the command line."
4557
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
4558
#: sss_usermod.8.xml:60
4559
msgid "The home directory of the user account."
4562
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
4563
#: sss_usermod.8.xml:71
4564
msgid "The user's login shell."
4567
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
4568
#: sss_usermod.8.xml:82
4570
"Append this user to groups specified by the <replaceable>GROUPS</"
4571
"replaceable> parameter. The <replaceable>GROUPS</replaceable> parameter is "
4572
"a comma separated list of group names."
4575
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
4576
#: sss_usermod.8.xml:96
4578
"Remove this user from groups specified by the <replaceable>GROUPS</"
4579
"replaceable> parameter."
4582
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
4583
#: sss_usermod.8.xml:103
4584
msgid "<option>-l</option>,<option>--lock</option>"
4587
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
4588
#: sss_usermod.8.xml:107
4589
msgid "Lock the user account. The user won't be able to log in."
4592
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term>
4593
#: sss_usermod.8.xml:114
4594
msgid "<option>-u</option>,<option>--unlock</option>"
4597
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
4598
#: sss_usermod.8.xml:118
4599
msgid "Unlock the user account."
4602
#. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para>
4603
#: sss_usermod.8.xml:129
4604
msgid "The SELinux user for the user's login."
4607
#. type: Content of: <reference><refentry><refsect1><para>
4608
#: sss_usermod.8.xml:140
4610
"<citerefentry> <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</"
4611
"manvolnum> </citerefentry>, <citerefentry> <refentrytitle>sss_groupdel</"
4612
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
4613
"<refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum> </"
4614
"citerefentry>, <citerefentry> <refentrytitle>sss_groupshow</"
4615
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> "
4616
"<refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum> </"
4617
"citerefentry>, <citerefentry> <refentrytitle>sss_userdel</"
4618
"refentrytitle><manvolnum>8</manvolnum> </citerefentry>."
4621
#. type: Content of: <refsect1><title>
4622
#: include/service_discovery.xml:2
4623
msgid "SERVICE DISCOVERY"
4626
#. type: Content of: <refsect1><para>
4627
#: include/service_discovery.xml:4
4629
"The service discovery feature allows back ends to automatically find the "
4630
"appropriate servers to connect to using a special DNS query."
4633
#. type: Content of: <refsect1><refsect2><title>
4634
#: include/service_discovery.xml:9
4635
msgid "Configuration"
4638
#. type: Content of: <refsect1><refsect2><para>
4639
#: include/service_discovery.xml:11
4641
"If no servers are specified, the back end automatically uses service "
4642
"discovery to try to find a server. Optionally, the user may choose to use "
4643
"both fixed server addresses and service discovery by inserting a special "
4644
"keyword, <quote>_srv_</quote>, in the list of servers. The order of "
4645
"preference is maintained. This feature is useful if, for example, the user "
4646
"prefers to use service discovery whenever possible, and fall back to a "
4647
"specific server when no servers can be discovered using DNS."
4650
#. type: Content of: <refsect1><refsect2><title>
4651
#: include/service_discovery.xml:23
4652
msgid "The domain name"
4655
#. type: Content of: <refsect1><refsect2><para>
4656
#: include/service_discovery.xml:25
4658
"Please refer to the <quote>dns_discovery_domain</quote> parameter in the "
4659
"<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</"
4660
"manvolnum> </citerefentry> manual page for more details."
4663
#. type: Content of: <refsect1><refsect2><title>
4664
#: include/service_discovery.xml:35
4665
msgid "The protocol"
4668
#. type: Content of: <refsect1><refsect2><para>
4669
#: include/service_discovery.xml:37
4671
"The queries usually specify _tcp as the protocol. Exceptions are documented "
4672
"in respective option description."
4675
#. type: Content of: <refsect1><refsect2><title>
4676
#: include/service_discovery.xml:42
4680
#. type: Content of: <refsect1><refsect2><para>
4681
#: include/service_discovery.xml:44
4683
"For more information on the service discovery mechanism, refer to RFC 2782."
4686
#. type: Content of: outside any tag (error?)
4687
#: include/upstream.xml:1
4688
msgid "<placeholder type=\"refentryinfo\" id=\"0\"/>"
4691
#. type: Content of: <refsect1><title>
4692
#: include/failover.xml:2
4696
#. type: Content of: <refsect1><para>
4697
#: include/failover.xml:4
4699
"The failover feature allows back ends to automatically switch to a different "
4700
"server if the primary server fails."
4703
#. type: Content of: <refsect1><refsect2><title>
4704
#: include/failover.xml:8
4705
msgid "Failover Syntax"
4708
#. type: Content of: <refsect1><refsect2><para>
4709
#: include/failover.xml:10
4711
"The list of servers is given as a comma-separated list; any number of spaces "
4712
"is allowed around the comma. The servers are listed in order of preference. "
4713
"The list can contain any number of servers."
4716
#. type: Content of: <refsect1><refsect2><title>
4717
#: include/failover.xml:17
4718
msgid "The Failover Mechanism"
4721
#. type: Content of: <refsect1><refsect2><para>
4722
#: include/failover.xml:19
4724
"The failover mechanism distinguishes between a machine and a service. The "
4725
"back end first tries to resolve the hostname of a given machine; if this "
4726
"resolution attempt fails, the machine is considered offline. No further "
4727
"attempts are made to connect to this machine for any other service. If the "
4728
"resolution attempt succeeds, the back end tries to connect to a service on "
4729
"this machine. If the service connection attempt fails, then only this "
4730
"particular service is considered offline and the back end automatically "
4731
"switches over to the next service. The machine is still considered online "
4732
"and might still be tried for another service."
4735
#. type: Content of: <refsect1><refsect2><para>
4736
#: include/failover.xml:32
4738
"Further connection attempts are made to machines or services marked as "
4739
"offline after a specified period of time; this is currently hard coded to 30 "
4743
#. type: Content of: <refsect1><refsect2><para>
4744
#: include/failover.xml:37
4746
"If there are no more machines to try, the back end as a whole switches to "
4747
"offline mode, and then attempts to reconnect every 30 seconds."
4750
#. type: Content of: <varlistentry><term>
4751
#: include/param_help.xml:3
4752
msgid "<option>-h</option>,<option>--help</option>"
4755
#. type: Content of: <varlistentry><listitem><para>
4756
#: include/param_help.xml:7
4757
msgid "Display help message and exit."