summaryrefslogtreecommitdiffstats
path: root/src/config/cfg_rules.ini
diff options
context:
space:
mode:
Diffstat (limited to 'src/config/cfg_rules.ini')
-rw-r--r--src/config/cfg_rules.ini840
1 files changed, 840 insertions, 0 deletions
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
new file mode 100644
index 0000000..61cbdaf
--- /dev/null
+++ b/src/config/cfg_rules.ini
@@ -0,0 +1,840 @@
+[rule/allowed_sections]
+validator = ini_allowed_sections
+section = sssd
+section = nss
+section = pam
+section = sudo
+section = autofs
+section = ssh
+section = pac
+section = ifp
+section = kcm
+section = session_recording
+section_re = ^prompting/password$
+section_re = ^prompting/password/[^/\@]\+$
+section_re = ^prompting/2fa$
+section_re = ^prompting/2fa/[^/\@]\+$
+section_re = ^prompting/passkey$
+section_re = ^prompting/passkey/[^/\@]\+$
+section_re = ^domain/[^/\@]\+$
+section_re = ^domain/[^/\@]\+/[^/\@]\+$
+section_re = ^application/[^/\@]\+$
+section_re = ^certmap/[^/\@]\+/[^/\@]\+$
+
+
+[rule/allowed_sssd_options]
+validator = ini_allowed_options
+section_re = ^sssd$
+
+option = debug
+option = debug_level
+option = debug_timestamps
+option = debug_microseconds
+option = debug_backtrace_enabled
+option = command
+option = reconnection_retries
+option = fd_limit
+option = client_idle_timeout
+option = description
+
+# Monitor service
+option = services
+option = domains
+option = timeout
+option = re_expression
+option = full_name_format
+option = krb5_rcache_dir
+option = user
+option = default_domain_suffix
+option = certificate_verification
+option = override_space
+option = config_file_version
+option = disable_netlink
+option = enable_files_domain
+option = domain_resolution_order
+option = try_inotify
+option = monitor_resolv_conf
+option = implicit_pac_responder
+option = core_dumpable
+option = passkey_verification
+
+[rule/allowed_nss_options]
+validator = ini_allowed_options
+section_re = ^nss$
+
+option = timeout
+option = debug
+option = debug_level
+option = debug_timestamps
+option = debug_microseconds
+option = debug_backtrace_enabled
+option = command
+option = reconnection_retries
+option = fd_limit
+option = client_idle_timeout
+option = description
+option = responder_idle_timeout
+option = cache_first
+
+# Name service
+option = user_attributes
+option = enum_cache_timeout
+option = entry_cache_nowait_percentage
+option = entry_negative_timeout
+option = local_negative_timeout
+option = filter_users
+option = filter_groups
+option = filter_users_in_groups
+option = pwfield
+option = override_homedir
+option = fallback_homedir
+option = homedir_substring
+option = override_shell
+option = allowed_shells
+option = vetoed_shells
+option = shell_fallback
+option = default_shell
+option = get_domains_timeout
+option = memcache_timeout
+option = memcache_size_passwd
+option = memcache_size_group
+option = memcache_size_initgroups
+
+[rule/allowed_pam_options]
+validator = ini_allowed_options
+section_re = ^pam$
+
+option = timeout
+option = debug
+option = debug_level
+option = debug_timestamps
+option = debug_microseconds
+option = debug_backtrace_enabled
+option = command
+option = reconnection_retries
+option = fd_limit
+option = client_idle_timeout
+option = description
+option = responder_idle_timeout
+option = cache_first
+
+# Authentication service
+option = offline_credentials_expiration
+option = offline_failed_login_attempts
+option = offline_failed_login_delay
+option = pam_verbosity
+option = pam_response_filter
+option = pam_id_timeout
+option = pam_pwd_expiration_warning
+option = get_domains_timeout
+option = pam_trusted_users
+option = pam_public_domains
+option = pam_account_expired_message
+option = pam_account_locked_message
+option = pam_cert_auth
+option = pam_cert_db_path
+option = pam_cert_verification
+option = p11_child_timeout
+option = pam_app_services
+option = pam_p11_allowed_services
+option = p11_wait_for_card_timeout
+option = p11_uri
+option = pam_initgroups_scheme
+option = pam_gssapi_services
+option = pam_gssapi_check_upn
+option = pam_gssapi_indicators_map
+option = pam_passkey_auth
+option = passkey_child_timeout
+option = passkey_debug_libfido2
+
+[rule/allowed_sudo_options]
+validator = ini_allowed_options
+section_re = ^sudo$
+
+option = timeout
+option = debug
+option = debug_level
+option = debug_timestamps
+option = debug_microseconds
+option = debug_backtrace_enabled
+option = command
+option = reconnection_retries
+option = fd_limit
+option = client_idle_timeout
+option = description
+option = responder_idle_timeout
+option = cache_first
+
+# sudo service
+option = sudo_timed
+option = sudo_inverse_order
+option = sudo_threshold
+
+[rule/allowed_autofs_options]
+validator = ini_allowed_options
+section_re = ^autofs$
+
+option = timeout
+option = debug
+option = debug_level
+option = debug_timestamps
+option = debug_microseconds
+option = debug_backtrace_enabled
+option = command
+option = reconnection_retries
+option = fd_limit
+option = client_idle_timeout
+option = description
+option = responder_idle_timeout
+option = cache_first
+
+# autofs service
+option = autofs_negative_timeout
+
+[rule/allowed_ssh_options]
+validator = ini_allowed_options
+section_re = ^ssh$
+
+option = timeout
+option = debug
+option = debug_level
+option = debug_timestamps
+option = debug_microseconds
+option = debug_backtrace_enabled
+option = command
+option = reconnection_retries
+option = fd_limit
+option = client_idle_timeout
+option = description
+option = responder_idle_timeout
+option = cache_first
+
+# ssh service
+option = ssh_hash_known_hosts
+option = ssh_known_hosts_timeout
+option = ca_db
+option = ssh_use_certificate_keys
+option = ssh_use_certificate_matching_rules
+
+[rule/allowed_pac_options]
+validator = ini_allowed_options
+section_re = ^pac$
+
+option = timeout
+option = debug
+option = debug_level
+option = debug_timestamps
+option = debug_microseconds
+option = debug_backtrace_enabled
+option = command
+option = reconnection_retries
+option = fd_limit
+option = client_idle_timeout
+option = description
+option = responder_idle_timeout
+option = cache_first
+
+# PAC responder
+option = allowed_uids
+option = pac_lifetime
+option = pac_check
+
+[rule/allowed_ifp_options]
+validator = ini_allowed_options
+section_re = ^ifp$
+
+option = timeout
+option = debug
+option = debug_level
+option = debug_timestamps
+option = debug_microseconds
+option = debug_backtrace_enabled
+option = command
+option = reconnection_retries
+option = fd_limit
+option = client_idle_timeout
+option = description
+option = responder_idle_timeout
+option = cache_first
+
+# InfoPipe responder
+option = allowed_uids
+option = user_attributes
+
+# KCM responder
+[rule/allowed_kcm_options]
+validator = ini_allowed_options
+section_re = ^kcm$
+
+option = timeout
+option = debug
+option = debug_level
+option = debug_timestamps
+option = debug_microseconds
+option = debug_backtrace_enabled
+option = command
+option = reconnection_retries
+option = fd_limit
+option = client_idle_timeout
+option = description
+option = socket_path
+option = ccache_storage
+option = responder_idle_timeout
+option = max_ccaches
+option = max_uid_ccaches
+option = max_ccache_size
+option = tgt_renewal
+option = tgt_renewal_inherit
+option = krb5_lifetime
+option = krb5_renewable_lifetime
+option = krb5_renew_interval
+option = krb5_validate
+option = krb5_canonicalize
+option = krb5_auth_timeout
+
+# Session recording
+[rule/allowed_session_recording_options]
+validator = ini_allowed_options
+section_re = ^session_recording$
+
+option = scope
+option = users
+option = groups
+option = exclude_users
+option = exclude_groups
+
+# Prompting during authentication
+[rule/allowed_prompting_password_options]
+validator = ini_allowed_options
+section_re = ^prompting/password$
+
+option = password_prompt
+
+[rule/allowed_prompting_2fa_options]
+validator = ini_allowed_options
+section_re = ^prompting/2fa$
+
+option = single_prompt
+option = first_prompt
+option = second_prompt
+
+[rule/allowed_prompting_passkey_options]
+validator = ini_allowed_options
+section_re = ^prompting/passkey$
+
+option = interactive
+option = interactive_prompt
+option = touch
+option = touch_prompt
+
+[rule/allowed_prompting_password_subsec_options]
+validator = ini_allowed_options
+section_re = ^prompting/password/[^/\@]\+$
+
+option = password_prompt
+
+[rule/allowed_prompting_2fa_subsec_options]
+validator = ini_allowed_options
+section_re = ^prompting/2fa/[^/\@]\+$
+
+option = single_prompt
+option = first_prompt
+option = second_prompt
+
+[rule/allowed_prompting_passkey_subsec_options]
+validator = ini_allowed_options
+section_re = ^prompting/passkey/[^/\@]\+$
+
+option = interactive
+option = interactive_prompt
+option = touch
+option = touch_prompt
+
+[rule/allowed_domain_options]
+validator = ini_allowed_options
+section_re = ^\(domain\|application\)/[^/]\+$
+
+option = debug
+option = debug_level
+option = debug_timestamps
+option = debug_microseconds
+option = debug_backtrace_enabled
+option = command
+option = reconnection_retries
+option = fd_limit
+option = client_idle_timeout
+option = description
+
+#Available provider types
+option = id_provider
+option = auth_provider
+option = access_provider
+option = chpass_provider
+option = sudo_provider
+option = autofs_provider
+option = hostid_provider
+option = subdomains_provider
+option = selinux_provider
+option = session_provider
+option = resolver_provider
+
+# Options available to all domains
+option = enabled
+option = domain_type
+option = min_id
+option = max_id
+option = timeout
+option = enumerate
+option = subdomain_enumerate
+option = offline_timeout
+option = offline_timeout_max
+option = offline_timeout_random_offset
+option = cache_credentials
+option = cache_credentials_minimal_first_factor_length
+option = use_fully_qualified_names
+option = ignore_group_members
+option = entry_cache_timeout
+option = lookup_family_order
+option = account_cache_expiration
+option = pwd_expiration_warning
+option = filter_users
+option = filter_groups
+option = dns_resolver_server_timeout
+option = dns_resolver_op_timeout
+option = dns_resolver_timeout
+option = dns_resolver_use_search_list
+option = dns_discovery_domain
+option = override_gid
+option = case_sensitive
+option = override_homedir
+option = fallback_homedir
+option = homedir_substring
+option = override_shell
+option = default_shell
+option = description
+option = realmd_tags
+option = subdomain_refresh_interval
+option = subdomain_refresh_interval_offset
+option = subdomain_inherit
+option = subdomain_homedir
+option = cached_auth_timeout
+option = wildcard_limit
+option = full_name_format
+option = re_expression
+option = auto_private_groups
+option = pam_gssapi_services
+option = pam_gssapi_check_upn
+option = pam_gssapi_indicators_map
+option = local_auth_policy
+
+#Entry cache timeouts
+option = entry_cache_user_timeout
+option = entry_cache_group_timeout
+option = entry_cache_netgroup_timeout
+option = entry_cache_service_timeout
+option = entry_cache_autofs_timeout
+option = entry_cache_sudo_timeout
+option = entry_cache_ssh_host_timeout
+option = entry_cache_computer_timeout
+option = entry_cache_resolver_timeout
+option = refresh_expired_interval
+option = refresh_expired_interval_offset
+
+# Dynamic DNS updates
+option = dyndns_update
+option = dyndns_ttl
+option = dyndns_iface
+option = dyndns_refresh_interval
+option = dyndns_refresh_interval_offset
+option = dyndns_update_ptr
+option = dyndns_force_tcp
+option = dyndns_auth
+option = dyndns_auth_ptr
+option = dyndns_server
+
+# files provider specific options
+option = passwd_files
+option = group_files
+option = fallback_to_nss
+
+# proxy provider specific options
+option = proxy_lib_name
+option = proxy_resolver_lib_name
+option = proxy_fast_alias
+option = proxy_pam_target
+option = proxy_max_children
+
+# simple access provider specific options
+option = simple_allow_users
+option = simple_deny_users
+option = simple_allow_groups
+option = simple_deny_groups
+
+# AD provider specific options
+option = ad_access_filter
+option = ad_backup_server
+option = ad_domain
+option = ad_enable_dns_sites
+option = ad_enabled_domains
+option = ad_enable_gc
+option = ad_gpo_access_control
+option = ad_gpo_implicit_deny
+option = ad_gpo_ignore_unreadable
+option = ad_gpo_cache_timeout
+option = ad_gpo_default_right
+option = ad_gpo_map_batch
+option = ad_gpo_map_deny
+option = ad_gpo_map_interactive
+option = ad_gpo_map_network
+option = ad_gpo_map_permit
+option = ad_gpo_map_remote_interactive
+option = ad_gpo_map_service
+option = ad_hostname
+option = ad_machine_account_password_renewal_opts
+option = ad_maximum_machine_account_password_age
+option = ad_server
+option = ad_site
+option = ad_update_samba_machine_account_password
+option = ad_use_ldaps
+option = ad_allow_remote_domain_local_groups
+
+# IPA provider specific options
+option = ipa_access_order
+option = ipa_anchor_uuid
+option = ipa_automount_location
+option = ipa_backup_server
+option = ipa_deskprofile_refresh
+option = ipa_deskprofile_request_interval
+option = ipa_deskprofile_search_base
+option = ipa_subid_ranges_search_base
+option = ipa_domain
+option = ipa_dyndns_iface
+option = ipa_dyndns_ttl
+option = ipa_dyndns_update
+option = ipa_enable_dns_sites
+option = ipa_group_override_object_class
+option = ipa_hbac_refresh
+option = ipa_hbac_search_base
+option = ipa_hbac_support_srchost
+option = ipa_host_fqdn
+option = ipa_hostgroup_memberof
+option = ipa_hostgroup_member
+option = ipa_hostgroup_name
+option = ipa_hostgroup_objectclass
+option = ipa_hostgroup_uuid
+option = ipa_host_member_of
+option = ipa_host_name
+option = ipa_hostname
+option = ipa_host_object_class
+option = ipa_host_search_base
+option = ipa_host_serverhostname
+option = ipa_host_ssh_public_key
+option = ipa_host_uuid
+option = ipa_master_domain_search_base
+option = ipa_netgroup_domain
+option = ipa_netgroup_member_ext_host
+option = ipa_netgroup_member_host
+option = ipa_netgroup_member_of
+option = ipa_netgroup_member
+option = ipa_netgroup_member_user
+option = ipa_netgroup_name
+option = ipa_netgroup_object_class
+option = ipa_netgroup_uuid
+option = ipa_override_object_class
+option = ipa_ranges_search_base
+option = ipa_selinux_refresh
+option = ipa_selinux_usermap_enabled
+option = ipa_selinux_usermap_host_category
+option = ipa_selinux_usermap_member_host
+option = ipa_selinux_usermap_member_user
+option = ipa_selinux_usermap_name
+option = ipa_selinux_usermap_object_class
+option = ipa_selinux_usermap_see_also
+option = ipa_selinux_usermap_selinux_user
+option = ipa_selinux_usermap_user_category
+option = ipa_selinux_usermap_uuid
+option = ipa_server_mode
+option = ipa_server
+option = ipa_subdomains_search_base
+option = ipa_sudocmdgroup_entry_usn
+option = ipa_sudocmdgroup_member
+option = ipa_sudocmdgroup_name
+option = ipa_sudocmdgroup_object_class
+option = ipa_sudocmdgroup_uuid
+option = ipa_sudocmd_memberof
+option = ipa_sudocmd_object_class
+option = ipa_sudocmd_sudoCmd
+option = ipa_sudocmd_uuid
+option = ipa_sudorule_allowcmd
+option = ipa_sudorule_cmdcategory
+option = ipa_sudorule_denycmd
+option = ipa_sudorule_enabled_flag
+option = ipa_sudorule_entry_usn
+option = ipa_sudorule_externaluser
+option = ipa_sudorule_hostcategory
+option = ipa_sudorule_host
+option = ipa_sudorule_name
+option = ipa_sudorule_notafter
+option = ipa_sudorule_notbefore
+option = ipa_sudorule_object_class
+option = ipa_sudorule_option
+option = ipa_sudorule_runasextgroup
+option = ipa_sudorule_runasextusergroup
+option = ipa_sudorule_runasextuser
+option = ipa_sudorule_runasgroupcategory
+option = ipa_sudorule_runasgroup
+option = ipa_sudorule_runasusercategory
+option = ipa_sudorule_sudoorder
+option = ipa_sudorule_usercategory
+option = ipa_sudorule_user
+option = ipa_sudorule_uuid
+option = ipa_user_override_object_class
+option = ipa_view_class
+option = ipa_view_name
+option = ipa_views_search_base
+
+# krb5 provider specific options
+option = krb5_auth_timeout
+option = krb5_backup_kpasswd
+option = krb5_backup_server
+option = krb5_canonicalize
+option = krb5_ccachedir
+option = krb5_ccname_template
+option = krb5_confd_path
+option = krb5_fast_principal
+option = krb5_fast_use_anonymous_pkinit
+option = krb5_kdcinfo_lookahead
+option = krb5_kdcip
+option = krb5_keytab
+option = krb5_kpasswd
+option = krb5_lifetime
+option = krb5_map_user
+option = krb5_realm
+option = krb5_renewable_lifetime
+option = krb5_renew_interval
+option = krb5_server
+option = krb5_store_password_if_offline
+option = krb5_use_enterprise_principal
+option = krb5_use_subdomain_realm
+option = krb5_use_fast
+option = krb5_use_kdcinfo
+option = krb5_validate
+
+# ldap provider specific options
+option = ldap_access_filter
+option = ldap_access_order
+option = ldap_account_expire_policy
+option = ldap_autofs_entry_key
+option = ldap_autofs_entry_object_class
+option = ldap_autofs_entry_value
+option = ldap_autofs_map_master_name
+option = ldap_autofs_map_name
+option = ldap_autofs_map_object_class
+option = ldap_autofs_search_base
+option = ldap_backup_uri
+option = ldap_chpass_backup_uri
+option = ldap_chpass_dns_service_name
+option = ldap_chpass_update_last_change
+option = ldap_chpass_uri
+option = ldap_connection_expire_timeout
+option = ldap_connection_expire_offset
+option = ldap_connection_idle_timeout
+option = ldap_default_authtok
+option = ldap_default_authtok_type
+option = ldap_default_bind_dn
+option = ldap_deref
+option = ldap_deref_threshold
+option = ldap_ignore_unreadable_references
+option = ldap_disable_paging
+option = ldap_disable_range_retrieval
+option = ldap_dns_service_name
+option = ldap_entry_usn
+option = ldap_enumeration_refresh_timeout
+option = ldap_enumeration_refresh_offset
+option = ldap_enumeration_search_timeout
+option = ldap_force_upper_case_realm
+option = ldap_group_entry_usn
+option = ldap_group_external_member
+option = ldap_group_gid_number
+option = ldap_group_member
+option = ldap_group_modify_timestamp
+option = ldap_group_name
+option = ldap_group_nesting_level
+option = ldap_group_object_class
+option = ldap_group_objectsid
+option = ldap_group_search_base
+option = ldap_group_search_filter
+option = ldap_group_search_scope
+option = ldap_group_type
+option = ldap_group_uuid
+option = ldap_idmap_autorid_compat
+option = ldap_idmap_default_domain_sid
+option = ldap_idmap_default_domain
+option = ldap_idmap_helper_table_size
+option = ldap_id_mapping
+option = ldap_idmap_range_max
+option = ldap_idmap_range_min
+option = ldap_idmap_range_size
+option = ldap_id_use_start_tls
+option = ldap_krb5_init_creds
+option = ldap_krb5_keytab
+option = ldap_krb5_ticket_lifetime
+option = ldap_library_debug_level
+option = ldap_max_id
+option = ldap_min_id
+option = ldap_netgroup_member
+option = ldap_netgroup_modify_timestamp
+option = ldap_netgroup_name
+option = ldap_netgroup_object_class
+option = ldap_netgroup_search_base
+option = ldap_netgroup_triple
+option = ldap_network_timeout
+option = ldap_ns_account_lock
+option = ldap_offline_timeout
+option = ldap_opt_timeout
+option = ldap_page_size
+option = ldap_purge_cache_timeout
+option = ldap_purge_cache_offset
+option = ldap_pwd_attribute
+option = ldap_pwdlockout_dn
+option = ldap_pwd_policy
+option = ldap_referrals
+option = ldap_rfc2307_fallback_to_local_users
+option = ldap_rootdse_last_usn
+option = ldap_sasl_authid
+option = ldap_sasl_canonicalize
+option = ldap_sasl_mech
+option = ldap_sasl_minssf
+option = ldap_sasl_maxssf
+option = ldap_sasl_realm
+option = ldap_schema
+option = ldap_pwmodify_mode
+option = ldap_search_base
+option = ldap_search_timeout
+option = ldap_service_entry_usn
+option = ldap_service_name
+option = ldap_service_object_class
+option = ldap_service_port
+option = ldap_service_proto
+option = ldap_service_search_base
+option = ldap_sudo_full_refresh_interval
+option = ldap_sudo_hostnames
+option = ldap_sudo_include_netgroups
+option = ldap_sudo_include_regexp
+option = ldap_sudo_ip
+option = ldap_sudorule_command
+option = ldap_sudorule_host
+option = ldap_sudorule_name
+option = ldap_sudorule_notafter
+option = ldap_sudorule_notbefore
+option = ldap_sudorule_object_class
+option = ldap_sudorule_option
+option = ldap_sudorule_order
+option = ldap_sudorule_runasgroup
+option = ldap_sudorule_runas
+option = ldap_sudorule_runasuser
+option = ldap_sudorule_user
+option = ldap_sudo_search_base
+option = ldap_sudo_smart_refresh_interval
+option = ldap_sudo_random_offset
+option = ldap_sudo_use_host_filter
+option = ldap_tls_cacertdir
+option = ldap_tls_cacert
+option = ldap_tls_cert
+option = ldap_tls_cipher_suite
+option = ldap_tls_key
+option = ldap_tls_reqcert
+option = ldap_uri
+option = ldap_user_ad_account_expires
+option = ldap_user_ad_user_account_control
+option = ldap_user_authorized_host
+option = ldap_user_authorized_rhost
+option = ldap_user_authorized_service
+option = ldap_user_auth_type
+option = ldap_user_certificate
+option = ldap_user_email
+option = ldap_user_entry_usn
+option = ldap_user_extra_attrs
+option = ldap_user_fullname
+option = ldap_user_gecos
+option = ldap_user_gid_number
+option = ldap_user_home_directory
+option = ldap_user_krb_last_pwd_change
+option = ldap_user_krb_password_expiration
+option = ldap_user_member_of
+option = ldap_user_modify_timestamp
+option = ldap_user_name
+option = ldap_user_nds_login_allowed_time_map
+option = ldap_user_nds_login_disabled
+option = ldap_user_nds_login_expiration_time
+option = ldap_user_object_class
+option = ldap_user_objectsid
+option = ldap_user_primary_group
+option = ldap_user_principal
+option = ldap_user_search_base
+option = ldap_user_search_filter
+option = ldap_user_search_scope
+option = ldap_user_shadow_expire
+option = ldap_user_shadow_flag
+option = ldap_user_shadow_inactive
+option = ldap_user_shadow_last_change
+option = ldap_user_shadow_max
+option = ldap_user_shadow_min
+option = ldap_user_shadow_warning
+option = ldap_user_shell
+option = ldap_user_ssh_public_key
+option = ldap_user_uid_number
+option = ldap_user_uuid
+option = ldap_use_tokengroups
+option = ldap_host_object_class
+option = ldap_host_name
+option = ldap_host_fqdn
+option = ldap_host_serverhostname
+option = ldap_host_member_of
+option = ldap_host_search_base
+option = ldap_host_ssh_public_key
+option = ldap_host_uuid
+option = ldap_iphost_search_base
+option = ldap_iphost_object_class
+option = ldap_iphost_name
+option = ldap_iphost_number
+option = ldap_iphost_entry_usn
+option = ldap_ipnetwork_search_base
+option = ldap_ipnetwork_object_class
+option = ldap_ipnetwork_name
+option = ldap_ipnetwork_number
+option = ldap_ipnetwork_entry_usn
+
+# For application domains
+option = inherit_from
+
+[rule/allowed_subdomain_options]
+validator = ini_allowed_options
+section_re = ^domain/[^/\@]\+/[^/\@]\+$
+
+option = ldap_search_base
+option = ldap_user_search_base
+option = ldap_group_search_base
+option = ldap_netgroup_search_base
+option = ldap_service_search_base
+option = ldap_sasl_mech
+option = ad_server
+option = ad_backup_server
+option = ad_site
+option = use_fully_qualified_names
+option = auto_private_groups
+option = pam_gssapi_services
+option = pam_gssapi_check_upn
+option = pam_gssapi_indicators_map
+
+[rule/sssd_checks]
+validator = sssd_checks
+
+[rule/allowed_certmap_options]
+validator = ini_allowed_options
+section_re = ^certmap/[^/\@]\+/[^/\@]\+$
+
+option = matchrule
+option = maprule
+option = priority
+option = domains
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-28 02:38:29 +0000