diff options
Diffstat (limited to 'src/config/SSSDConfig/sssdoptions.py')
| -rw-r--r-- | src/config/SSSDConfig/sssdoptions.py | 578 |
1 files changed, 578 insertions, 0 deletions
diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py new file mode 100644 index 0000000..0d75e6d --- /dev/null +++ b/src/config/SSSDConfig/sssdoptions.py @@ -0,0 +1,578 @@ +import sys +import gettext + +PACKAGE = 'sss_daemon' +LOCALEDIR = '/usr/share/locale' + +translation = gettext.translation(PACKAGE, LOCALEDIR, fallback=True) +if sys.version_info[0] > 2: + _ = translation.gettext +else: + _ = translation.ugettext + + +class SSSDOptions(object): + def __init__(self): + pass + + option_strings = { + # [service] + 'debug': _('Set the verbosity of the debug logging'), + 'debug_level': _('Set the verbosity of the debug logging'), + 'debug_timestamps': _('Include timestamps in debug logs'), + 'debug_microseconds': _('Include microseconds in timestamps in debug logs'), + 'debug_backtrace_enabled': _('Enable/disable debug backtrace'), + 'timeout': _('Watchdog timeout before restarting service'), + 'command': _('Command to start service'), + 'reconnection_retries': _('Number of times to attempt connection to Data Providers'), + 'fd_limit': _('The number of file descriptors that may be opened by this responder'), + 'client_idle_timeout': _('Idle time before automatic disconnection of a client'), + 'responder_idle_timeout': _('Idle time before automatic shutdown of the responder'), + 'cache_first': _('Always query all the caches before querying the Data Providers'), + 'offline_timeout': _('When SSSD switches to offline mode the amount of time before it tries to go back online ' + 'will increase based upon the time spent disconnected. This value is in seconds and ' + 'calculated by the following: offline_timeout + random_offset.'), + + # [sssd] + 'config_file_version': _( + 'Indicates what is the syntax of the config file. SSSD 0.6.0 and later use version 2.'), + 'services': _('SSSD Services to start'), + 'domains': _('SSSD Domains to start'), + 're_expression': _('Regex to parse username and domain'), + 'full_name_format': _('Printf-compatible format for displaying fully-qualified names'), + 'krb5_rcache_dir': _('Directory on the filesystem where SSSD should store Kerberos replay cache files.'), + 'default_domain_suffix': _('Domain to add to names without a domain component.'), + 'user': _('The user to drop privileges to'), + 'certificate_verification': _('Tune certificate verification'), + 'override_space': _('All spaces in group or user names will be replaced with this character'), + 'disable_netlink': _('Tune sssd to honor or ignore netlink state changes'), + 'enable_files_domain': _('Enable or disable the implicit files domain'), + 'domain_resolution_order': _('A specific order of the domains to be looked up'), + 'monitor_resolv_conf': _('Controls if SSSD should monitor the state of resolv.conf to identify when it needs ' + 'to update its internal DNS resolver.'), + 'try_inotify': _('SSSD monitors the state of resolv.conf to identify when it needs to update its internal DNS ' + 'resolver. By default, we will attempt to use inotify for this, and will fall back to ' + 'polling resolv.conf every five seconds if inotify cannot be used.'), + 'implicit_pac_responder': _('Run PAC responder automatically for AD and IPA provider'), + 'core_dumpable': _('Enable or disable core dumps for all SSSD processes.'), + 'passkey_verification': _('Tune passkey verification behavior'), + + # [nss] + 'enum_cache_timeout': _('Enumeration cache timeout length (seconds)'), + 'entry_cache_no_wait_timeout': _('Entry cache background update timeout length (seconds)'), + 'entry_negative_timeout': _('Negative cache timeout length (seconds)'), + 'local_negative_timeout': _('Files negative cache timeout length (seconds)'), + 'filter_users': _('Users that SSSD should explicitly ignore'), + 'filter_groups': _('Groups that SSSD should explicitly ignore'), + 'filter_users_in_groups': _('Should filtered users appear in groups'), + 'pwfield': _('The value of the password field the NSS provider should return'), + 'override_homedir': _('Override homedir value from the identity provider with this value'), + 'fallback_homedir': _('Substitute empty homedir value from the identity provider with this value'), + 'override_shell': _('Override shell value from the identity provider with this value'), + 'allowed_shells': _('The list of shells users are allowed to log in with'), + 'vetoed_shells': _('The list of shells that will be vetoed, and replaced with the fallback shell'), + 'shell_fallback': _('If a shell stored in central directory is allowed but not available, use this fallback'), + 'default_shell': _('Shell to use if the provider does not list one'), + 'memcache_timeout': _('How long will be in-memory cache records valid'), + 'memcache_size_passwd': _( + 'Size (in megabytes) of the data table allocated inside fast in-memory cache for passwd requests'), + 'memcache_size_group': _( + 'Size (in megabytes) of the data table allocated inside fast in-memory cache for group requests'), + 'memcache_size_initgroups': _( + 'Size (in megabytes) of the data table allocated inside fast in-memory cache for initgroups requests'), + 'homedir_substring': _('The value of this option will be used in the expansion of the override_homedir option ' + 'if the template contains the format string %H.'), + 'get_domains_timeout': _('Specifies time in seconds for which the list of subdomains will be considered ' + 'valid.'), + 'entry_cache_nowait_percentage': _('The entry cache can be set to automatically update entries in the ' + 'background if they are requested beyond a percentage of the ' + 'entry_cache_timeout value for the domain.'), + + # [pam] + 'offline_credentials_expiration': _('How long to allow cached logins between online logins (days)'), + 'offline_failed_login_attempts': _('How many failed logins attempts are allowed when offline'), + 'offline_failed_login_delay': _( + 'How long (minutes) to deny login after offline_failed_login_attempts has been reached'), + 'pam_verbosity': _('What kind of messages are displayed to the user during authentication'), + 'pam_response_filter': _('Filter PAM responses sent to the pam_sss'), + 'pam_id_timeout': _('How many seconds to keep identity information cached for PAM requests'), + 'pam_pwd_expiration_warning': _('How many days before password expiration a warning should be displayed'), + 'pam_trusted_users': _('List of trusted uids or user\'s name'), + 'pam_public_domains': _('List of domains accessible even for untrusted users.'), + 'pam_account_expired_message': _('Message printed when user account is expired.'), + 'pam_account_locked_message': _('Message printed when user account is locked.'), + 'pam_cert_auth': _('Allow certificate based/Smartcard authentication.'), + 'pam_cert_db_path': _('Path to certificate database with PKCS#11 modules.'), + 'pam_cert_verification': _('Tune certificate verification for PAM authentication.'), + 'p11_child_timeout': _('How many seconds will pam_sss wait for p11_child to finish'), + 'pam_app_services': _('Which PAM services are permitted to contact application domains'), + 'pam_p11_allowed_services': _('Allowed services for using smartcards'), + 'p11_wait_for_card_timeout': _('Additional timeout to wait for a card if requested'), + 'p11_uri': _('PKCS#11 URI to restrict the selection of devices for Smartcard authentication'), + 'pam_initgroups_scheme': _('When shall the PAM responder force an initgroups request'), + 'pam_gssapi_services': _('List of PAM services that are allowed to authenticate with GSSAPI.'), + 'pam_gssapi_check_upn': _('Whether to match authenticated UPN with target user'), + 'pam_gssapi_indicators_map': _('List of pairs <PAM service>:<authentication indicator> that ' + 'must be enforced for PAM access with GSSAPI authentication'), + 'pam_passkey_auth': _('Allow passkey device authentication.'), + 'passkey_child_timeout': _('How many seconds will pam_sss wait for passkey_child to finish'), + 'passkey_debug_libfido2': _('Enable debugging in the libfido2 library'), + + # [sudo] + 'sudo_timed': _('Whether to evaluate the time-based attributes in sudo rules'), + 'sudo_inverse_order': _('If true, SSSD will switch back to lower-wins ordering logic'), + 'sudo_threshold': _('Maximum number of rules that can be refreshed at once. If this is exceeded, full refresh ' + 'is performed.'), + + # [autofs] + 'autofs_negative_timeout': _('Negative cache timeout length (seconds)'), + + # [ssh] + 'ssh_hash_known_hosts': _('Whether to hash host names and addresses in the known_hosts file'), + 'ssh_known_hosts_timeout': _('How many seconds to keep a host in the known_hosts file after its host keys ' + 'were requested'), + 'ca_db': _('Path to storage of trusted CA certificates'), + 'ssh_use_certificate_keys': _('Allow to generate ssh-keys from certificates'), + 'ssh_use_certificate_matching_rules': _('Use the following matching rules to filter the certificates for ' + 'ssh-key generation'), + + # [pac] + 'allowed_uids': _('List of UIDs or user names allowed to access the PAC responder'), + 'pac_lifetime': _('How long the PAC data is considered valid'), + 'pac_check': _('Validate the PAC'), + + # [ifp] + 'user_attributes': _('List of user attributes the InfoPipe is allowed to publish'), + + # [session_recording] + 'scope': _('One of the following strings specifying the scope of session recording: none - No users are ' + 'recorded. some - Users/groups specified by users and groups options are recorded. all - All users ' + 'are recorded.'), + 'users': _('A comma-separated list of users which should have session recording enabled. Matches user names ' + 'as returned by NSS. I.e. after the possible space replacement, case changes, etc.'), + 'groups': _('A comma-separated list of groups, members of which should have session recording enabled. ' + 'Matches group names as returned by NSS. I.e. after the possible space replacement, case changes, ' + 'etc.'), + 'exclude_users': _('A comma-separated list of users to be excluded from recording, only when scope=all'), + 'exclude_groups': _('A comma-separated list of groups, members of which should be excluded from recording, ' + ' only when scope=all. '), + + # [provider] + 'id_provider': _('Identity provider'), + 'auth_provider': _('Authentication provider'), + 'access_provider': _('Access control provider'), + 'chpass_provider': _('Password change provider'), + 'sudo_provider': _('SUDO provider'), + 'autofs_provider': _('Autofs provider'), + 'hostid_provider': _('Host identity provider'), + 'selinux_provider': _('SELinux provider'), + 'session_provider': _('Session management provider'), + 'resolver_provider': _('Resolver provider'), + + # [domain] + 'domain_type': _('Whether the domain is usable by the OS or by applications'), + 'enabled': _('Enable or disable the domain'), + 'min_id': _('Minimum user ID'), + 'max_id': _('Maximum user ID'), + 'enumerate': _('Enable enumerating all users/groups'), + 'cache_credentials': _('Cache credentials for offline login'), + 'use_fully_qualified_names': _('Display users/groups in fully-qualified form'), + 'ignore_group_members': _('Don\'t include group members in group lookups'), + 'entry_cache_timeout': _('Entry cache timeout length (seconds)'), + 'lookup_family_order': _('Restrict or prefer a specific address family when performing DNS lookups'), + 'account_cache_expiration': _('How long to keep cached entries after last successful login (days)'), + 'dns_resolver_server_timeout': _('How long should SSSD talk to single DNS server before trying next server (' + 'miliseconds)'), + 'dns_resolver_op_timeout': _('How long should keep trying to resolve single DNS query (seconds)'), + 'dns_resolver_timeout': _('How long to wait for replies from DNS when resolving servers (seconds)'), + 'dns_discovery_domain': _('The domain part of service discovery DNS query'), + 'override_gid': _('Override GID value from the identity provider with this value'), + 'case_sensitive': _('Treat usernames as case sensitive'), + 'entry_cache_user_timeout': _('Entry cache timeout length (seconds)'), + 'entry_cache_group_timeout': _('Entry cache timeout length (seconds)'), + 'entry_cache_netgroup_timeout': _('Entry cache timeout length (seconds)'), + 'entry_cache_service_timeout': _('Entry cache timeout length (seconds)'), + 'entry_cache_autofs_timeout': _('Entry cache timeout length (seconds)'), + 'entry_cache_sudo_timeout': _('Entry cache timeout length (seconds)'), + 'entry_cache_resolver_timeout': _('Entry cache timeout length (seconds)'), + 'refresh_expired_interval': _('How often should expired entries be refreshed in background'), + 'refresh_expired_interval_offset': _("Maximum period deviation when refreshing expired entries in background"), + 'dyndns_update': _("Whether to automatically update the client's DNS entry"), + 'dyndns_ttl': _("The TTL to apply to the client's DNS entry after updating it"), + 'dyndns_iface': _("The interface whose IP should be used for dynamic DNS updates"), + 'dyndns_refresh_interval': _("How often to periodically update the client's DNS entry"), + 'dyndns_refresh_interval_offset': _("Maximum period deviation when updating the client's DNS entry"), + 'dyndns_update_ptr': _("Whether the provider should explicitly update the PTR record as well"), + 'dyndns_force_tcp': _("Whether the nsupdate utility should default to using TCP"), + 'dyndns_auth': _("What kind of authentication should be used to perform the DNS update"), + 'dyndns_server': _("Override the DNS server used to perform the DNS update"), + 'subdomain_enumerate': _('Control enumeration of trusted domains'), + 'subdomain_refresh_interval': _('How often should subdomains list be refreshed'), + 'subdomain_refresh_interval_offset': _('Maximum period deviation when refreshing the subdomain list'), + 'subdomain_inherit': _('List of options that should be inherited into a subdomain'), + 'subdomain_homedir': _('Default subdomain homedir value'), + 'cached_auth_timeout': _('How long can cached credentials be used for cached authentication'), + 'auto_private_groups': _('Whether to automatically create private groups for users'), + 'pwd_expiration_warning': _('Display a warning N days before the password expires.'), + 'realmd_tags': _('Various tags stored by the realmd configuration service for this domain.'), + 'subdomains_provider': _('The provider which should handle fetching of subdomains. This value should be ' + 'always the same as id_provider.'), + 'entry_cache_ssh_host_timeout': _('How many seconds to keep a host ssh key after refresh. IE how long to ' + 'cache the host key for.'), + 'cache_credentials_minimal_first_factor_length': _('If 2-Factor-Authentication (2FA) is used and credentials ' + 'should be saved this value determines the minimal length ' + 'the first authentication factor (long term password) must ' + 'have to be saved as SHA512 hash into the cache.'), + 'local_auth_policy': _('Local authentication methods policy '), + + # [provider/ipa] + 'ipa_domain': _('IPA domain'), + 'ipa_server': _('IPA server address'), + 'ipa_backup_server': _('Address of backup IPA server'), + 'ipa_hostname': _('IPA client hostname'), + 'ipa_dyndns_update': _("Whether to automatically update the client's DNS entry in FreeIPA"), + 'ipa_dyndns_ttl': _("The TTL to apply to the client's DNS entry after updating it"), + 'ipa_dyndns_iface': _("The interface whose IP should be used for dynamic DNS updates"), + 'ipa_hbac_search_base': _("Search base for HBAC related objects"), + 'ipa_hbac_refresh': _("The amount of time between lookups of the HBAC rules against the IPA server"), + 'ipa_selinux_refresh': _("The amount of time in seconds between lookups of the SELinux maps against the IPA " + "server"), + 'ipa_hbac_support_srchost': _("If set to false, host argument given by PAM will be ignored"), + 'ipa_automount_location': _("The automounter location this IPA client is using"), + 'ipa_master_domain_search_base': _("Search base for object containing info about IPA domain"), + 'ipa_ranges_search_base': _("Search base for objects containing info about ID ranges"), + 'ipa_enable_dns_sites': _("Enable DNS sites - location based service discovery"), + 'ipa_views_search_base': _("Search base for view containers"), + 'ipa_view_class': _("Objectclass for view containers"), + 'ipa_view_name': _("Attribute with the name of the view"), + 'ipa_override_object_class': _("Objectclass for override objects"), + 'ipa_anchor_uuid': _("Attribute with the reference to the original object"), + 'ipa_user_override_object_class': _("Objectclass for user override objects"), + 'ipa_group_override_object_class': _("Objectclass for group override objects"), + 'ipa_deskprofile_search_base': _("Search base for Desktop Profile related objects"), + 'ipa_deskprofile_refresh': _("The amount of time in seconds between lookups of the Desktop Profile rules " + "against the IPA server"), + 'ipa_deskprofile_request_interval': _("The amount of time in minutes between lookups of Desktop Profiles " + "rules against the IPA server when the last request did not find any " + "rule"), + 'ipa_subid_ranges_search_base': _("Search base for SUBID ranges"), + 'ipa_access_order': _("Which rules should be used to evaluate access control"), + 'ipa_host_fqdn': _('The LDAP attribute that contains FQDN of the host.'), + 'ipa_host_object_class': _('The object class of a host entry in LDAP.'), + 'ipa_host_search_base': _('Use the given string as search base for host objects.'), + 'ipa_host_ssh_public_key': _('The LDAP attribute that contains the host\'s SSH public keys.'), + 'ipa_netgroup_domain': _('The LDAP attribute that contains NIS domain name of the netgroup.'), + 'ipa_netgroup_member': _('The LDAP attribute that contains the names of the netgroup\'s members.'), + 'ipa_netgroup_member_ext_host': _('The LDAP attribute that lists FQDNs of hosts and host groups that are ' + 'members of the netgroup.'), + 'ipa_netgroup_member_host': _('The LDAP attribute that lists hosts and host groups that are direct members of ' + 'the netgroup.'), + 'ipa_netgroup_member_of': _('The LDAP attribute that lists netgroup\'s memberships.'), + 'ipa_netgroup_member_user': _('The LDAP attribute that lists system users and groups that are direct members ' + 'of the netgroup.'), + 'ipa_netgroup_name': _('The LDAP attribute that corresponds to the netgroup name.'), + 'ipa_netgroup_object_class': _('The object class of a netgroup entry in LDAP.'), + 'ipa_netgroup_uuid': _('The LDAP attribute that contains the UUID/GUID of an LDAP netgroup object.'), + 'ipa_selinux_usermap_enabled': _('The LDAP attribute that contains whether or not is user map enabled for ' + 'usage.'), + 'ipa_selinux_usermap_host_category': _('The LDAP attribute that contains host category such as \'all\'.'), + 'ipa_selinux_usermap_member_host': _('The LDAP attribute that contains all hosts / hostgroups this rule match ' + 'against.'), + 'ipa_selinux_usermap_member_user': _('The LDAP attribute that contains all users / groups this rule match ' + 'against.'), + 'ipa_selinux_usermap_name': _('The LDAP attribute that contains the name of SELinux usermap.'), + 'ipa_selinux_usermap_object_class': _('The object class of a host entry in LDAP.'), + 'ipa_selinux_usermap_see_also': _('The LDAP attribute that contains DN of HBAC rule which can be used for ' + 'matching instead of memberUser and memberHost.'), + 'ipa_selinux_usermap_selinux_user': _('The LDAP attribute that contains SELinux user string itself.'), + 'ipa_selinux_usermap_user_category': _('The LDAP attribute that contains user category such as \'all\'.'), + 'ipa_selinux_usermap_uuid': _('The LDAP attribute that contains unique ID of the user map.'), + 'ipa_server_mode': _('The option denotes that the SSSD is running on IPA server and should perform lookups of ' + 'users and groups from trusted domains differently.'), + 'ipa_subdomains_search_base': _('Use the given string as search base for trusted domains.'), + + # [provider/ad] + 'ad_domain': _('Active Directory domain'), + 'ad_enabled_domains': _('Enabled Active Directory domains'), + 'ad_server': _('Active Directory server address'), + 'ad_backup_server': _('Active Directory backup server address'), + 'ad_hostname': _('Active Directory client hostname'), + 'ad_enable_dns_sites': _('Enable DNS sites - location based service discovery'), + 'ad_access_filter': _('LDAP filter to determine access privileges'), + 'ad_enable_gc': _('Whether to use the Global Catalog for lookups'), + 'ad_gpo_access_control': _('Operation mode for GPO-based access control'), + 'ad_gpo_cache_timeout': _("The amount of time between lookups of the GPO policy files against the AD server"), + 'ad_gpo_map_interactive': _('PAM service names that map to the GPO (Deny)InteractiveLogonRight ' + 'policy settings'), + 'ad_gpo_map_remote_interactive': _('PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight ' + 'policy settings'), + 'ad_gpo_map_network': _('PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings'), + 'ad_gpo_map_batch': _('PAM service names that map to the GPO (Deny)BatchLogonRight policy settings'), + 'ad_gpo_map_service': _('PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings'), + 'ad_gpo_map_permit': _('PAM service names for which GPO-based access is always granted'), + 'ad_gpo_map_deny': _('PAM service names for which GPO-based access is always denied'), + 'ad_gpo_default_right': _('Default logon right (or permit/deny) to use for unmapped PAM service names'), + 'ad_site': _('a particular site to be used by the client'), + 'ad_maximum_machine_account_password_age': _('Maximum age in days before the machine account password should ' + 'be renewed'), + 'ad_machine_account_password_renewal_opts': _('Option for tuning the machine account renewal task'), + 'ad_update_samba_machine_account_password': _('Whether to update the machine account password in the Samba ' + 'database'), + 'ad_use_ldaps': _('Use LDAPS port for LDAP and Global Catalog requests'), + 'ad_allow_remote_domain_local_groups': _('Do not filter domain local groups from other domains'), + + # [provider/krb5] + 'krb5_kdcip': _('Kerberos server address'), + 'krb5_server': _('Kerberos server address'), + 'krb5_backup_server': _('Kerberos backup server address'), + 'krb5_realm': _('Kerberos realm'), + 'krb5_auth_timeout': _('Authentication timeout'), + 'krb5_use_kdcinfo': _('Whether to create kdcinfo files'), + 'krb5_confd_path': _('Where to drop krb5 config snippets'), + + # [provider/krb5/auth] + 'krb5_ccachedir': _('Directory to store credential caches'), + 'krb5_ccname_template': _("Location of the user's credential cache"), + 'krb5_keytab': _("Location of the keytab to validate credentials"), + 'krb5_validate': _("Enable credential validation"), + 'krb5_store_password_if_offline': _("Store password if offline for later online authentication"), + 'krb5_renewable_lifetime': _("Renewable lifetime of the TGT"), + 'krb5_lifetime': _("Lifetime of the TGT"), + 'krb5_renew_interval': _("Time between two checks for renewal"), + 'krb5_use_fast': _("Enables FAST"), + 'krb5_fast_principal': _("Selects the principal to use for FAST"), + 'krb5_fast_use_anonymous_pkinit': _("Use anonymous PKINIT to request FAST credentials"), + 'krb5_canonicalize': _("Enables principal canonicalization"), + 'krb5_use_enterprise_principal': _("Enables enterprise principals"), + 'krb5_use_subdomain_realm': _("Enables using of subdomains realms for authentication"), + 'krb5_map_user': _('A mapping from user names to Kerberos principal names'), + + # [provider/krb5/chpass] + 'krb5_kpasswd': _('Server where the change password service is running if not on the KDC'), + 'krb5_backup_kpasswd': _('Server where the change password service is running if not on the KDC'), + + # [provider/ldap] + 'ldap_uri': _('ldap_uri, The URI of the LDAP server'), + 'ldap_backup_uri': _('ldap_backup_uri, The URI of the LDAP server'), + 'ldap_search_base': _('The default base DN'), + 'ldap_schema': _('The Schema Type in use on the LDAP server, rfc2307'), + 'ldap_pwmodify_mode': _('Mode used to change user password'), + 'ldap_default_bind_dn': _('The default bind DN'), + 'ldap_default_authtok_type': _('The type of the authentication token of the default bind DN'), + 'ldap_default_authtok': _('The authentication token of the default bind DN'), + 'ldap_network_timeout': _('Length of time to attempt connection'), + 'ldap_opt_timeout': _('Length of time to attempt synchronous LDAP operations'), + 'ldap_offline_timeout': _('Length of time between attempts to reconnect while offline'), + 'ldap_force_upper_case_realm': _('Use only the upper case for realm names'), + 'ldap_tls_cacert': _('File that contains CA certificates'), + 'ldap_tls_cacertdir': _('Path to CA certificate directory'), + 'ldap_tls_cert': _('File that contains the client certificate'), + 'ldap_tls_key': _('File that contains the client key'), + 'ldap_tls_cipher_suite': _('List of possible ciphers suites'), + 'ldap_tls_reqcert': _('Require TLS certificate verification'), + 'ldap_sasl_mech': _('Specify the sasl mechanism to use'), + 'ldap_sasl_authid': _('Specify the sasl authorization id to use'), + 'ldap_sasl_realm': _('Specify the sasl authorization realm to use'), + 'ldap_sasl_minssf': _('Specify the minimal SSF for LDAP sasl authorization'), + 'ldap_sasl_maxssf': _('Specify the maximal SSF for LDAP sasl authorization'), + 'ldap_krb5_keytab': _('Kerberos service keytab'), + 'ldap_krb5_init_creds': _('Use Kerberos auth for LDAP connection'), + 'ldap_referrals': _('Follow LDAP referrals'), + 'ldap_krb5_ticket_lifetime': _('Lifetime of TGT for LDAP connection'), + 'ldap_deref': _('How to dereference aliases'), + 'ldap_dns_service_name': _('Service name for DNS service lookups'), + 'ldap_page_size': _('The number of records to retrieve in a single LDAP query'), + 'ldap_deref_threshold': _('The number of members that must be missing to trigger a full deref'), + 'ldap_ignore_unreadable_references': _('Ignore unreadable LDAP references'), + 'ldap_sasl_canonicalize': _('Whether the LDAP library should perform a reverse lookup to canonicalize the ' + 'host name during a SASL bind'), + 'ldap_rfc2307_fallback_to_local_users': _('Allows to retain local users as members of an LDAP group for ' + 'servers that use the RFC2307 schema.'), + + 'ldap_entry_usn': _('entryUSN attribute'), + 'ldap_rootdse_last_usn': _('lastUSN attribute'), + + 'ldap_connection_expiration_timeout': _('How long to retain a connection to the LDAP server before ' + 'disconnecting'), + + 'ldap_disable_paging': _('Disable the LDAP paging control'), + 'ldap_disable_range_retrieval': _('Disable Active Directory range retrieval'), + + # [provider/ldap/id] + 'ldap_search_timeout': _('Length of time to wait for a search request'), + 'ldap_enumeration_search_timeout': _('Length of time to wait for a enumeration request'), + 'ldap_enumeration_refresh_timeout': _('Length of time between enumeration updates'), + 'ldap_enumeration_refresh_offset': _('Maximum period deviation between enumeration updates'), + 'ldap_purge_cache_timeout': _('Length of time between cache cleanups'), + 'ldap_purge_cache_offset': _('Maximum time deviation between cache cleanups'), + 'ldap_id_use_start_tls': _('Require TLS for ID lookups'), + 'ldap_id_mapping': _('Use ID-mapping of objectSID instead of pre-set IDs'), + 'ldap_user_search_base': _('Base DN for user lookups'), + 'ldap_user_search_scope': _('Scope of user lookups'), + 'ldap_user_search_filter': _('Filter for user lookups'), + 'ldap_user_object_class': _('Objectclass for users'), + 'ldap_user_name': _('Username attribute'), + 'ldap_user_uid_number': _('UID attribute'), + 'ldap_user_gid_number': _('Primary GID attribute'), + 'ldap_user_gecos': _('GECOS attribute'), + 'ldap_user_home_directory': _('Home directory attribute'), + 'ldap_user_shell': _('Shell attribute'), + 'ldap_user_uuid': _('UUID attribute'), + 'ldap_user_objectsid': _("objectSID attribute"), + 'ldap_user_primary_group': _('Active Directory primary group attribute for ID-mapping'), + 'ldap_user_principal': _('User principal attribute (for Kerberos)'), + 'ldap_user_fullname': _('Full Name'), + 'ldap_user_member_of': _('memberOf attribute'), + 'ldap_user_modify_timestamp': _('Modification time attribute'), + 'ldap_user_shadow_last_change': _('shadowLastChange attribute'), + 'ldap_user_shadow_min': _('shadowMin attribute'), + 'ldap_user_shadow_max': _('shadowMax attribute'), + 'ldap_user_shadow_warning': _('shadowWarning attribute'), + 'ldap_user_shadow_inactive': _('shadowInactive attribute'), + 'ldap_user_shadow_expire': _('shadowExpire attribute'), + 'ldap_user_shadow_flag': _('shadowFlag attribute'), + 'ldap_user_authorized_service': _('Attribute listing authorized PAM services'), + 'ldap_user_authorized_host': _('Attribute listing authorized server hosts'), + 'ldap_user_authorized_rhost': _('Attribute listing authorized server rhosts'), + 'ldap_user_krb_last_pwd_change': _('krbLastPwdChange attribute'), + 'ldap_user_krb_password_expiration': _('krbPasswordExpiration attribute'), + 'ldap_pwd_attribute': _('Attribute indicating that server side password policies are active'), + 'ldap_user_ad_account_expires': _('accountExpires attribute of AD'), + 'ldap_user_ad_user_account_control': _('userAccountControl attribute of AD'), + 'ldap_ns_account_lock': _('nsAccountLock attribute'), + 'ldap_user_nds_login_disabled': _('loginDisabled attribute of NDS'), + 'ldap_user_nds_login_expiration_time': _('loginExpirationTime attribute of NDS'), + 'ldap_user_nds_login_allowed_time_map': _('loginAllowedTimeMap attribute of NDS'), + 'ldap_user_ssh_public_key': _('SSH public key attribute'), + 'ldap_user_auth_type': _('attribute listing allowed authentication types for a user'), + 'ldap_user_certificate': _('attribute containing the X509 certificate of the user'), + 'ldap_user_email': _('attribute containing the email address of the user'), + 'ldap_user_passkey': _('attribute containing the passkey mapping data of the user'), + 'ldap_user_extra_attrs': _('A list of extra attributes to download along with the user entry'), + + 'ldap_group_search_base': _('Base DN for group lookups'), + 'ldap_group_object_class': _('Objectclass for groups'), + 'ldap_group_name': _('Group name'), + 'ldap_group_pwd': _('Group password'), + 'ldap_group_gid_number': _('GID attribute'), + 'ldap_group_member': _('Group member attribute'), + 'ldap_group_uuid': _('Group UUID attribute'), + 'ldap_group_objectsid': _("objectSID attribute"), + 'ldap_group_modify_timestamp': _('Modification time attribute for groups'), + 'ldap_group_type': _('Type of the group and other flags'), + 'ldap_group_external_member': _('The LDAP group external member attribute'), + 'ldap_group_nesting_level': _('Maximum nesting level SSSD will follow'), + 'ldap_group_search_filter': _('Filter for group lookups'), + 'ldap_group_search_scope': _('Scope of group lookups'), + + 'ldap_netgroup_search_base': _('Base DN for netgroup lookups'), + 'ldap_netgroup_object_class': _('Objectclass for netgroups'), + 'ldap_netgroup_name': _('Netgroup name'), + 'ldap_netgroup_member': _('Netgroups members attribute'), + 'ldap_netgroup_triple': _('Netgroup triple attribute'), + 'ldap_netgroup_modify_timestamp': _('Modification time attribute for netgroups'), + + 'ldap_service_search_base': _('Base DN for service lookups'), + 'ldap_service_object_class': _('Objectclass for services'), + 'ldap_service_name': _('Service name attribute'), + 'ldap_service_port': _('Service port attribute'), + 'ldap_service_proto': _('Service protocol attribute'), + + 'ldap_idmap_range_min': _('Lower bound for ID-mapping'), + 'ldap_idmap_range_max': _('Upper bound for ID-mapping'), + 'ldap_idmap_range_size': _('Number of IDs for each slice when ID-mapping'), + 'ldap_idmap_autorid_compat': _('Use autorid-compatible algorithm for ID-mapping'), + 'ldap_idmap_default_domain': _('Name of the default domain for ID-mapping'), + 'ldap_idmap_default_domain_sid': _('SID of the default domain for ID-mapping'), + 'ldap_idmap_helper_table_size': _('Number of secondary slices'), + + 'ldap_use_tokengroups': _('Whether to use Token-Groups'), + 'ldap_min_id': _('Set lower boundary for allowed IDs from the LDAP server'), + 'ldap_max_id': _('Set upper boundary for allowed IDs from the LDAP server'), + 'ldap_pwdlockout_dn': _('DN for ppolicy queries'), + 'wildcard_limit': _('How many maximum entries to fetch during a wildcard request'), + 'ldap_library_debug_level': _('Set libldap debug level'), + + # [provider/ldap/auth] + 'ldap_pwd_policy': _('Policy to evaluate the password expiration'), + + # [provider/ldap/access] + 'ldap_access_filter': _('LDAP filter to determine access privileges'), + 'ldap_account_expire_policy': _('Which attributes shall be used to evaluate if an account is expired'), + 'ldap_access_order': _('Which rules should be used to evaluate access control'), + + # [provider/ldap/chpass] + 'ldap_chpass_uri': _('URI of an LDAP server where password changes are allowed'), + 'ldap_chpass_backup_uri': _('URI of a backup LDAP server where password changes are allowed'), + 'ldap_chpass_dns_service_name': _('DNS service name for LDAP password change server'), + 'ldap_chpass_update_last_change': _('Whether to update the ldap_user_shadow_last_change attribute after a ' + 'password change'), + + # [provider/ldap/sudo] + 'ldap_sudo_search_base': _('Base DN for sudo rules lookups'), + 'ldap_sudo_full_refresh_interval': _('Automatic full refresh period'), + 'ldap_sudo_smart_refresh_interval': _('Automatic smart refresh period'), + 'ldap_sudo_random_offset': _('Smart and full refresh random offset'), + 'ldap_sudo_use_host_filter': _('Whether to filter rules by hostname, IP addresses and network'), + 'ldap_sudo_hostnames': _('Hostnames and/or fully qualified domain names of this machine to filter sudo rules'), + 'ldap_sudo_ip': _('IPv4 or IPv6 addresses or network of this machine to filter sudo rules'), + 'ldap_sudo_include_netgroups': _('Whether to include rules that contains netgroup in host attribute'), + 'ldap_sudo_include_regexp': _('Whether to include rules that contains regular expression in host attribute'), + 'ldap_sudorule_object_class': _('Object class for sudo rules'), + 'ldap_sudorule_object_class_attr': _('Name of attribute that is used as object class for sudo rules'), + 'ldap_sudorule_name': _('Sudo rule name'), + 'ldap_sudorule_command': _('Sudo rule command attribute'), + 'ldap_sudorule_host': _('Sudo rule host attribute'), + 'ldap_sudorule_user': _('Sudo rule user attribute'), + 'ldap_sudorule_option': _('Sudo rule option attribute'), + 'ldap_sudorule_runas': _('Sudo rule runas attribute'), + 'ldap_sudorule_runasuser': _('Sudo rule runasuser attribute'), + 'ldap_sudorule_runasgroup': _('Sudo rule runasgroup attribute'), + 'ldap_sudorule_notbefore': _('Sudo rule notbefore attribute'), + 'ldap_sudorule_notafter': _('Sudo rule notafter attribute'), + 'ldap_sudorule_order': _('Sudo rule order attribute'), + + # [provider/ldap/autofs] + 'ldap_autofs_map_object_class': _('Object class for automounter maps'), + 'ldap_autofs_map_name': _('Automounter map name attribute'), + 'ldap_autofs_entry_object_class': _('Object class for automounter map entries'), + 'ldap_autofs_entry_key': _('Automounter map entry key attribute'), + 'ldap_autofs_entry_value': _('Automounter map entry value attribute'), + 'ldap_autofs_search_base': _('Base DN for automounter map lookups'), + 'ldap_autofs_map_master_name': _('The name of the automount master map in LDAP.'), + + # [provider/ldap/resolver] + 'ldap_iphost_search_base': _('Base DN for IP hosts lookups'), + 'ldap_iphost_object_class': _('Object class for IP hosts'), + 'ldap_iphost_name': _('IP host name attribute'), + 'ldap_iphost_number': _('IP host number (address) attribute'), + 'ldap_iphost_entry_usn': _('IP host entryUSN attribute'), + 'ldap_ipnetwork_search_base': _('Base DN for IP networks lookups'), + 'ldap_ipnetwork_object_class': _('Object class for IP networks'), + 'ldap_ipnetwork_name': _('IP network name attribute'), + 'ldap_ipnetwork_number': _('IP network number (address) attribute'), + 'ldap_ipnetwork_entry_usn': _('IP network entryUSN attribute'), + + # [provider/simple/access] + 'simple_allow_users': _('Comma separated list of allowed users'), + 'simple_deny_users': _('Comma separated list of prohibited users'), + 'simple_allow_groups': _('Comma separated list of groups that are allowed to log in. This applies only to ' + 'groups within this SSSD domain. Local groups are not evaluated.'), + 'simple_deny_groups': _('Comma separated list of groups that are explicitly denied access. This applies only ' + 'to groups within this SSSD domain. Local groups are not evaluated.'), + + # [provider/proxy] + 'proxy_max_children': _('The number of preforked proxy children.'), + + # [provider/proxy/id] + 'proxy_lib_name': _('The name of the NSS library to use'), + 'proxy_resolver_lib_name': _('The name of the NSS library to use for hosts and networks lookups'), + 'proxy_fast_alias': _('Whether to look up canonical group name from cache if possible'), + + # [provider/proxy/auth] + 'proxy_pam_target': _('PAM stack to use'), + + # [provider/files] + 'passwd_files': _('Path of passwd file sources.'), + 'group_files': _('Path of group file sources.') + } |