diff options
Diffstat (limited to 'src/man/ca')
22 files changed, 1830 insertions, 0 deletions
diff --git a/src/man/ca/include/ad_modified_defaults.xml b/src/man/ca/include/ad_modified_defaults.xml new file mode 100644 index 0000000..6ee0537 --- /dev/null +++ b/src/man/ca/include/ad_modified_defaults.xml @@ -0,0 +1,104 @@ +<refsect1 id='modified-default-options'> + <title>MODIFIED DEFAULT OPTIONS</title> + <para> + Certain option defaults do not match their respective backend provider +defaults, these option names and AD provider-specific defaults are listed +below: + </para> + <refsect2 id='krb5_modifications'> + <title>KRB5 Provider</title> + <itemizedlist> + <listitem> + <para> + krb5_validate = true + </para> + </listitem> + <listitem> + <para> + krb5_use_enterprise_principal = true + </para> + </listitem> + </itemizedlist> + </refsect2> + <refsect2 id='ldap_modifications'> + <title>LDAP Provider</title> + <itemizedlist> + <listitem> + <para> + ldap_schema = ad + </para> + </listitem> + <listitem> + <para> + ldap_force_upper_case_realm = true + </para> + </listitem> + <listitem> + <para> + ldap_id_mapping = true + </para> + </listitem> + <listitem> + <para> + ldap_sasl_mech = GSS-SPNEGO + </para> + </listitem> + <listitem> + <para> + ldap_referrals = false + </para> + </listitem> + <listitem> + <para> + ldap_account_expire_policy = ad + </para> + </listitem> + <listitem> + <para> + ldap_use_tokengroups = true + </para> + </listitem> + <listitem> + <para> + ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM) + </para> + <para> + The AD provider looks for a different principal than the LDAP provider by +default, because in an Active Directory environment the principals are +divided into two groups - User Principals and Service Principals. Only User +Principal can be used to obtain a TGT and by default, computer object's +principal is constructed from its sAMAccountName and the AD realm. The +well-known host/hostname@REALM principal is a Service Principal and thus +cannot be used to get a TGT with. + </para> + </listitem> + </itemizedlist> + </refsect2> + <refsect2 id='nss_modifications'> + <title>NSS configuration</title> + <itemizedlist> + <listitem> + <para> + fallback_homedir = /home/%d/%u + </para> + <para> + The AD provider automatically sets "fallback_homedir = /home/%d/%u" to +provide personal home directories for users without the homeDirectory +attribute. If your AD Domain is properly populated with Posix attributes, +and you want to avoid this fallback behavior, you can explicitly set +"fallback_homedir = %o". + </para> + <para> + Note that the system typically expects a home directory in /home/%u +folder. If you decide to use a different directory structure, some other +parts of your system may need adjustments. + </para> + <para> + For example automated creation of home directories in combination with +selinux requires selinux adjustment, otherwise the home directory will be +created with wrong selinux context. + </para> + </listitem> + </itemizedlist> + </refsect2> +</refsect1> diff --git a/src/man/ca/include/autofs_attributes.xml b/src/man/ca/include/autofs_attributes.xml new file mode 100644 index 0000000..2b30de5 --- /dev/null +++ b/src/man/ca/include/autofs_attributes.xml @@ -0,0 +1,66 @@ +<variablelist> + <varlistentry> + <term>ldap_autofs_map_object_class (cadena)</term> + <listitem> + <para> + The object class of an automount map entry in LDAP. + </para> + <para> + Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_autofs_map_name (cadena)</term> + <listitem> + <para> + The name of an automount map entry in LDAP. + </para> + <para> + Default: nisMapName (rfc2307, autofs_provider=ad), otherwise +automountMapName + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_autofs_entry_object_class (cadena)</term> + <listitem> + <para> + The object class of an automount entry in LDAP. The entry usually +corresponds to a mount point. + </para> + <para> + Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_autofs_entry_key (cadena)</term> + <listitem> + <para> + The key of an automount entry in LDAP. The entry usually corresponds to a +mount point. + </para> + <para> + Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_autofs_entry_value (cadena)</term> + <listitem> + <para> + The key of an automount entry in LDAP. The entry usually corresponds to a +mount point. + </para> + <para> + Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise +automountInformation + </para> + </listitem> + </varlistentry> +</variablelist> diff --git a/src/man/ca/include/autofs_restart.xml b/src/man/ca/include/autofs_restart.xml new file mode 100644 index 0000000..f31efe5 --- /dev/null +++ b/src/man/ca/include/autofs_restart.xml @@ -0,0 +1,5 @@ +<para> + Please note that the automounter only reads the master map on startup, so if +any autofs-related changes are made to the sssd.conf, you typically also +need to restart the automounter daemon after restarting the SSSD. +</para> diff --git a/src/man/ca/include/debug_levels.xml b/src/man/ca/include/debug_levels.xml new file mode 100644 index 0000000..7be587c --- /dev/null +++ b/src/man/ca/include/debug_levels.xml @@ -0,0 +1,103 @@ +<listitem> + <para> + L'SSSD admet dues representacions per a l'especificació del nivell de +depuració. La més senzilla és especificar un número del 0-9, que representa +el que permet cada nivell i tots els missatges de depuració de nivell +baix. L'opció més exhaustiva és especificar una màscara de bits en +hexadecimal per activar o desactivar els nivells específics (per exemple, si +voleu suprimir un nivell). + </para> + <para> + Si us plau, tingueu en compte que cadascun dels serveis de l'SSSD registra +el seu fitxer propi de registre. També tingueu en compte que l'habilitació +del <quote>debug_level</quote> a la secció <quote>[sssd]</quote>únicament +habilita la depuració del mateix procés de l'sssd, no per al procés del +contestador o del proveïdor. El paràmetre <quote>debug_level</quote> s'ha +d'afegir en totes les seccions que vulgueu que generin registres. + </para> + <para> + A més de canviar el nivell del registre al fitxer de configuració amb el +paràmetre <quote>debug_level</quote>, que és permanent, però requereix que +es reiniciï l'SSSD, també és possible canviar el nivell de depuració al vol +amb l'eina <citerefentry> <refentrytitle>sss_debuglevel</refentrytitle> +<manvolnum>8</manvolnum> </citerefentry>. + </para> + <para> + Els nivells de depuració que s'admeten actualment: + </para> + <para> + <emphasis>0</emphasis>, <emphasis>0x0010</emphasis>: Fallides +fatals. Qualsevol cosa que impedeixi la posada en marxa de l'SSSD o provoqui +el seu cessament. + </para> + <para> + <emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Critical failures. An +error that doesn't kill SSSD, but one that indicates that at least one major +feature is not going to work properly. + </para> + <para> + <emphasis>2</emphasis>, <emphasis>0x0040</emphasis>: Fallides serioses. Un +error que anuncia que una petició o una operació en particular ha fallat. + </para> + <para> + <emphasis>3</emphasis>, <emphasis>0x0080</emphasis>: Fallides +menors. Aquests són els errors que enterboleixen i poden fer fracassar +l'operació dels 2. + </para> + <para> + <emphasis>4</emphasis>, <emphasis>0x0100</emphasis>: Ajusts de la +configuració. + </para> + <para> + <emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: Dades de les funcions. + </para> + <para> + <emphasis>6</emphasis>, <emphasis>0x0400</emphasis>: Missatges de traça per +al funcionament de les funcions. + </para> + <para> + <emphasis>7</emphasis>, <emphasis>0x1000</emphasis>: Missatges de traça per +a les funcions internes de control. + </para> + <para> + <emphasis>8</emphasis>, <emphasis>0x2000</emphasis>: Contingut de les +variables de les funcions internes que poden ser interessants. + </para> + <para> + <emphasis>9</emphasis>, <emphasis>0x4000</emphasis>: Informació de traçat +extremadament de baix nivell. + </para> + <para> + <emphasis>9</emphasis>, <emphasis>0x20000</emphasis>: Performance and +statistical data, please note that due to the way requests are processed +internally the logged execution time of a request might be longer than it +actually was. + </para> + <para> + <emphasis>10</emphasis>, <emphasis>0x10000</emphasis>: Even more low-level +libldb tracing information. Almost never really required. + </para> + <para> + Per registrar els nivells de depuració de la màscara de bits que es +requereixi, només heu d'afegir els seus números com es mostra en els +següents exemples: + </para> + <para> + <emphasis>Exemple</emphasis>: Per registrar les fallides fatals, les +fallides crítiques, les fallides serioses i les dades de les funcions, +utilitzeu0x0270. + </para> + <para> + <emphasis>Exemple</emphasis>: Per registrar les fallides fatals, els ajusts +de la configuració, les dades de les funcions, els missatges de traça per a +les funcions internes de control, utilitzeu 0x1310. + </para> + <para> + <emphasis>Nota</emphasis>: El format de la màscara de bits dels nivells de +depuració es va introduir en la versió 1.7.0. + </para> + <para> + <emphasis>Default</emphasis>: 0x0070 (i.e. fatal, critical and serious +failures; corresponds to setting 2 in decimal notation) + </para> +</listitem> diff --git a/src/man/ca/include/debug_levels_tools.xml b/src/man/ca/include/debug_levels_tools.xml new file mode 100644 index 0000000..97e0d12 --- /dev/null +++ b/src/man/ca/include/debug_levels_tools.xml @@ -0,0 +1,82 @@ +<listitem> + <para> + L'SSSD admet dues representacions per a l'especificació del nivell de +depuració. La més senzilla és especificar un número del 0-9, que representa +el que permet cada nivell i tots els missatges de depuració de nivell +baix. L'opció més exhaustiva és especificar una màscara de bits en +hexadecimal per activar o desactivar els nivells específics (per exemple, si +voleu suprimir un nivell). + </para> + <para> + Els nivells de depuració que s'admeten actualment: + </para> + <para> + <emphasis>0</emphasis>, <emphasis>0x0010</emphasis>: Fallides +fatals. Qualsevol cosa que impedeixi la posada en marxa de l'SSSD o provoqui +el seu cessament. + </para> + <para> + <emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Critical failures. An +error that doesn't kill SSSD, but one that indicates that at least one major +feature is not going to work properly. + </para> + <para> + <emphasis>2</emphasis>, <emphasis>0x0040</emphasis>: Fallides serioses. Un +error que anuncia que una petició o una operació en particular ha fallat. + </para> + <para> + <emphasis>3</emphasis>, <emphasis>0x0080</emphasis>: Fallides +menors. Aquests són els errors que enterboleixen i poden fer fracassar +l'operació dels 2. + </para> + <para> + <emphasis>4</emphasis>, <emphasis>0x0100</emphasis>: Ajusts de la +configuració. + </para> + <para> + <emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: Dades de les funcions. + </para> + <para> + <emphasis>6</emphasis>, <emphasis>0x0400</emphasis>: Missatges de traça per +al funcionament de les funcions. + </para> + <para> + <emphasis>7</emphasis>, <emphasis>0x1000</emphasis>: Missatges de traça per +a les funcions internes de control. + </para> + <para> + <emphasis>8</emphasis>, <emphasis>0x2000</emphasis>: Contingut de les +variables de les funcions internes que poden ser interessants. + </para> + <para> + <emphasis>9</emphasis>, <emphasis>0x4000</emphasis>: Informació de traçat +extremadament de baix nivell. + </para> + <para> + <emphasis>10</emphasis>, <emphasis>0x10000</emphasis>: Even more low-level +libldb tracing information. Almost never really required. + </para> + <para> + Per registrar els nivells de depuració de la màscara de bits que es +requereixi, només heu d'afegir els seus números com es mostra en els +següents exemples: + </para> + <para> + <emphasis>Exemple</emphasis>: Per registrar les fallides fatals, les +fallides crítiques, les fallides serioses i les dades de les funcions, +utilitzeu0x0270. + </para> + <para> + <emphasis>Exemple</emphasis>: Per registrar les fallides fatals, els ajusts +de la configuració, les dades de les funcions, els missatges de traça per a +les funcions internes de control, utilitzeu 0x1310. + </para> + <para> + <emphasis>Nota</emphasis>: El format de la màscara de bits dels nivells de +depuració es va introduir en la versió 1.7.0. + </para> + <para> + <emphasis>Default</emphasis>: 0x0070 (i.e. fatal, critical and serious +failures; corresponds to setting 2 in decimal notation) + </para> +</listitem> diff --git a/src/man/ca/include/failover.xml b/src/man/ca/include/failover.xml new file mode 100644 index 0000000..f4c6bc1 --- /dev/null +++ b/src/man/ca/include/failover.xml @@ -0,0 +1,120 @@ +<refsect1 id='failover'> + <title>FAILOVER</title> + <para> + The failover feature allows back ends to automatically switch to a different +server if the current server fails. + </para> + <refsect2 id='failover_syntax'> + <title>Failover Syntax</title> + <para> + The list of servers is given as a comma-separated list; any number of spaces +is allowed around the comma. The servers are listed in order of +preference. The list can contain any number of servers. + </para> + <para> + For each failover-enabled config option, two variants exist: +<emphasis>primary</emphasis> and <emphasis>backup</emphasis>. The idea is +that servers in the primary list are preferred and backup servers are only +searched if no primary servers can be reached. If a backup server is +selected, a timeout of 31 seconds is set. After this timeout SSSD will +periodically try to reconnect to one of the primary servers. If it succeeds, +it will replace the current active (backup) server. + </para> + </refsect2> + <refsect2 id='failover_mechanism'> + <title>The Failover Mechanism</title> + <para> + The failover mechanism distinguishes between a machine and a service. The +back end first tries to resolve the hostname of a given machine; if this +resolution attempt fails, the machine is considered offline. No further +attempts are made to connect to this machine for any other service. If the +resolution attempt succeeds, the back end tries to connect to a service on +this machine. If the service connection attempt fails, then only this +particular service is considered offline and the back end automatically +switches over to the next service. The machine is still considered online +and might still be tried for another service. + </para> + <para> + Further connection attempts are made to machines or services marked as +offline after a specified period of time; this is currently hard coded to 30 +seconds. + </para> + <para> + If there are no more machines to try, the back end as a whole switches to +offline mode, and then attempts to reconnect every 30 seconds. + </para> + </refsect2> + <refsect2 id='failover_tuning'> + <title>Failover time outs and tuning</title> + <para> + Resolving a server to connect to can be as simple as running a single DNS +query or can involve several steps, such as finding the correct site or +trying out multiple host names in case some of the configured servers are +not reachable. The more complex scenarios can take some time and SSSD needs +to balance between providing enough time to finish the resolution process +but on the other hand, not trying for too long before falling back to +offline mode. If the SSSD debug logs show that the server resolution is +timing out before a live server is contacted, you can consider changing the +time outs. + </para> + <para> + This section lists the available tunables. Please refer to their description +in the <citerefentry> +<refentrytitle>sssd.conf</refentrytitle><manvolnum>5</manvolnum> +</citerefentry>, manual page. <variablelist> + <varlistentry> + <term> + dns_resolver_server_timeout + </term> + <listitem> + <para> + Time in milliseconds that sets how long would SSSD talk to a single DNS +server before trying next one. + </para> + <para> + Per defecte: 1000 + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + dns_resolver_op_timeout + </term> + <listitem> + <para> + Time in seconds to tell how long would SSSD try to resolve single DNS query +(e.g. resolution of a hostname or an SRV record) before trying the next +hostname or discovery domain. + </para> + <para> + Per defecte: 3 + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + dns_resolver_timeout + </term> + <listitem> + <para> + How long would SSSD try to resolve a failover service. This service +resolution internally might include several steps, such as resolving DNS SRV +queries or locating the site. + </para> + <para> + Per defecte: 6 + </para> + </listitem> + </varlistentry> + </variablelist> + </para> + <para> + For LDAP-based providers, the resolve operation is performed as part of an +LDAP connection operation. Therefore, also the +<quote>ldap_opt_timeout</quote> timeout should be set to a larger value than +<quote>dns_resolver_timeout</quote> which in turn should be set to a larger +value than <quote>dns_resolver_op_timeout</quote> which should be larger +than <quote>dns_resolver_server_timeout</quote>. + </para> + </refsect2> +</refsect1> diff --git a/src/man/ca/include/homedir_substring.xml b/src/man/ca/include/homedir_substring.xml new file mode 100644 index 0000000..f7328c7 --- /dev/null +++ b/src/man/ca/include/homedir_substring.xml @@ -0,0 +1,17 @@ +<varlistentry> + <term>homedir_substring (cadena)</term> + <listitem> + <para> + The value of this option will be used in the expansion of the +<emphasis>override_homedir</emphasis> option if the template contains the +format string <emphasis>%H</emphasis>. An LDAP directory entry can directly +contain this template so that this option can be used to expand the home +directory path for each client machine (or operating system). It can be set +per-domain or globally in the [nss] section. A value specified in a domain +section will override one set in the [nss] section. + </para> + <para> + Per defecte: /home + </para> + </listitem> +</varlistentry> diff --git a/src/man/ca/include/ipa_modified_defaults.xml b/src/man/ca/include/ipa_modified_defaults.xml new file mode 100644 index 0000000..4ad4b45 --- /dev/null +++ b/src/man/ca/include/ipa_modified_defaults.xml @@ -0,0 +1,123 @@ +<refsect1 id='modified-default-options'> + <title>MODIFIED DEFAULT OPTIONS</title> + <para> + Certain option defaults do not match their respective backend provider +defaults, these option names and IPA provider-specific defaults are listed +below: + </para> + <refsect2 id='krb5_modifications'> + <title>KRB5 Provider</title> + <itemizedlist> + <listitem> + <para> + krb5_validate = true + </para> + </listitem> + <listitem> + <para> + krb5_use_fast = try + </para> + </listitem> + <listitem> + <para> + krb5_canonicalize = true + </para> + </listitem> + </itemizedlist> + </refsect2> + <refsect2 id='ldap_general_modifications'> + <title>LDAP Provider - General</title> + <itemizedlist> + <listitem> + <para> + ldap_schema = ipa_v1 + </para> + </listitem> + <listitem> + <para> + ldap_force_upper_case_realm = true + </para> + </listitem> + <listitem> + <para> + ldap_sasl_mech = GSSAPI + </para> + </listitem> + <listitem> + <para> + ldap_sasl_minssf = 56 + </para> + </listitem> + <listitem> + <para> + ldap_account_expire_policy = ipa + </para> + </listitem> + <listitem> + <para> + ldap_use_tokengroups = true + </para> + </listitem> + </itemizedlist> + </refsect2> + <refsect2 id='ldap_user_modifications'> + <title>LDAP Provider - User options</title> + <itemizedlist> + <listitem> + <para> + ldap_user_member_of = memberOf + </para> + </listitem> + <listitem> + <para> + ldap_user_uuid = ipaUniqueID + </para> + </listitem> + <listitem> + <para> + ldap_user_ssh_public_key = ipaSshPubKey + </para> + </listitem> + <listitem> + <para> + ldap_user_auth_type = ipaUserAuthType + </para> + </listitem> + </itemizedlist> + </refsect2> + <refsect2 id='ldap_group_modifications'> + <title>LDAP Provider - Group options</title> + <itemizedlist> + <listitem> + <para> + ldap_group_object_class = ipaUserGroup + </para> + </listitem> + <listitem> + <para> + ldap_group_object_class_alt = posixGroup + </para> + </listitem> + <listitem> + <para> + ldap_group_member = member + </para> + </listitem> + <listitem> + <para> + ldap_group_uuid = ipaUniqueID + </para> + </listitem> + <listitem> + <para> + ldap_group_objectsid = ipaNTSecurityIdentifier + </para> + </listitem> + <listitem> + <para> + ldap_group_external_member = ipaExternalMember + </para> + </listitem> + </itemizedlist> + </refsect2> +</refsect1> diff --git a/src/man/ca/include/krb5_options.xml b/src/man/ca/include/krb5_options.xml new file mode 100644 index 0000000..c26aa7b --- /dev/null +++ b/src/man/ca/include/krb5_options.xml @@ -0,0 +1,153 @@ +<variablelist> + <varlistentry> + <term>krb5_auth_timeout (enter)</term> + <listitem> + <para> + Timeout in seconds after an online authentication request or change password +request is aborted. If possible, the authentication request is continued +offline. + </para> + <para> + Per defecte: 6 + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>krb5_validate (booleà)</term> + <listitem> + <para> + Verify with the help of krb5_keytab that the TGT obtained has not been +spoofed. The keytab is checked for entries sequentially, and the first entry +with a matching realm is used for validation. If no entry matches the realm, +the last entry in the keytab is used. This process can be used to validate +environments using cross-realm trust by placing the appropriate keytab entry +as the last entry or the only entry in the keytab file. + </para> + <para> + Default: false (IPA and AD provider: true) + </para> + <para> + Please note that the ticket validation is the first step when checking the +PAC (see 'pac_check' in the <citerefentry> +<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> +</citerefentry> manual page for details). If ticket validation is disabled +the PAC checks will be skipped as well. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>krb5_renewable_lifetime (cadena)</term> + <listitem> + <para> + Request a renewable ticket with a total lifetime, given as an integer +immediately followed by a time unit: + </para> + <para> + <emphasis>s</emphasis> per segons + </para> + <para> + <emphasis>m</emphasis> per minuts + </para> + <para> + <emphasis>h</emphasis> per hores + </para> + <para> + <emphasis>d</emphasis> per dies. + </para> + <para> + If there is no unit given, <emphasis>s</emphasis> is assumed. + </para> + <para> + NOTE: It is not possible to mix units. To set the renewable lifetime to one +and a half hours, use '90m' instead of '1h30m'. + </para> + <para> + Default: not set, i.e. the TGT is not renewable + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>krb5_lifetime (cadena)</term> + <listitem> + <para> + Request ticket with a lifetime, given as an integer immediately followed by +a time unit: + </para> + <para> + <emphasis>s</emphasis> per segons + </para> + <para> + <emphasis>m</emphasis> per minuts + </para> + <para> + <emphasis>h</emphasis> per hores + </para> + <para> + <emphasis>d</emphasis> per dies. + </para> + <para> + If there is no unit given <emphasis>s</emphasis> is assumed. + </para> + <para> + NOTE: It is not possible to mix units. To set the lifetime to one and a +half hours please use '90m' instead of '1h30m'. + </para> + <para> + Default: not set, i.e. the default ticket lifetime configured on the KDC. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>krb5_renew_interval (cadena)</term> + <listitem> + <para> + The time in seconds between two checks if the TGT should be renewed. TGTs +are renewed if about half of their lifetime is exceeded, given as an integer +immediately followed by a time unit: + </para> + <para> + <emphasis>s</emphasis> per segons + </para> + <para> + <emphasis>m</emphasis> per minuts + </para> + <para> + <emphasis>h</emphasis> per hores + </para> + <para> + <emphasis>d</emphasis> per dies. + </para> + <para> + If there is no unit given, <emphasis>s</emphasis> is assumed. + </para> + <para> + NOTE: It is not possible to mix units. To set the renewable lifetime to one +and a half hours, use '90m' instead of '1h30m'. + </para> + <para> + If this option is not set or is 0 the automatic renewal is disabled. + </para> + <para> + Per defecte: sense establir + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>krb5_canonicalize (booleà)</term> + <listitem> + <para> + Specifies if the host and user principal should be canonicalized. This +feature is available with MIT Kerberos 1.7 and later versions. + </para> + + <para> + Per defecte: false + </para> + </listitem> + </varlistentry> +</variablelist> diff --git a/src/man/ca/include/ldap_id_mapping.xml b/src/man/ca/include/ldap_id_mapping.xml new file mode 100644 index 0000000..9ee509a --- /dev/null +++ b/src/man/ca/include/ldap_id_mapping.xml @@ -0,0 +1,284 @@ +<refsect1 id='idmap'> + <title>ID MAPPING</title> + <para> + The ID-mapping feature allows SSSD to act as a client of Active Directory +without requiring administrators to extend user attributes to support POSIX +attributes for user and group identifiers. + </para> + <para> + NOTE: When ID-mapping is enabled, the uidNumber and gidNumber attributes are +ignored. This is to avoid the possibility of conflicts between +automatically-assigned and manually-assigned values. If you need to use +manually-assigned values, ALL values must be manually-assigned. + </para> + <para> + Please note that changing the ID mapping related configuration options will +cause user and group IDs to change. At the moment, SSSD does not support +changing IDs, so the SSSD database must be removed. Because cached passwords +are also stored in the database, removing the database should only be +performed while the authentication servers are reachable, otherwise users +might get locked out. In order to cache the password, an authentication must +be performed. It is not sufficient to use <citerefentry> +<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> +</citerefentry> to remove the database, rather the process consists of: + <itemizedlist> + <listitem> + <para> + Making sure the remote servers are reachable + </para> + </listitem> + <listitem> + <para> + Stopping the SSSD service + </para> + </listitem> + <listitem> + <para> + Removing the database + </para> + </listitem> + <listitem> + <para> + Starting the SSSD service + </para> + </listitem> + </itemizedlist> + Moreover, as the change of IDs might necessitate the adjustment of other +system properties such as file and directory ownership, it's advisable to +plan ahead and test the ID mapping configuration thoroughly. + </para> + + <refsect2 id='idmap_algorithm'> + <title>Mapping Algorithm</title> + <para> + Active Directory provides an objectSID for every user and group object in +the directory. This objectSID can be broken up into components that +represent the Active Directory domain identity and the relative identifier +(RID) of the user or group object. + </para> + <para> + The SSSD ID-mapping algorithm takes a range of available UIDs and divides it +into equally-sized component sections - called "slices"-. Each slice +represents the space available to an Active Directory domain. + </para> + <para> + When a user or group entry for a particular domain is encountered for the +first time, the SSSD allocates one of the available slices for that +domain. In order to make this slice-assignment repeatable on different +client machines, we select the slice based on the following algorithm: + </para> + <para> + The SID string is passed through the murmurhash3 algorithm to convert it to +a 32-bit hashed value. We then take the modulus of this value with the total +number of available slices to pick the slice. + </para> + <para> + NOTE: It is possible to encounter collisions in the hash and subsequent +modulus. In these situations, we will select the next available slice, but +it may not be possible to reproduce the same exact set of slices on other +machines (since the order that they are encountered will determine their +slice). In this situation, it is recommended to either switch to using +explicit POSIX attributes in Active Directory (disabling ID-mapping) or +configure a default domain to guarantee that at least one is always +consistent. See <quote>Configuration</quote> for details. + </para> + </refsect2> + + <refsect2 id='idmap_config'> + <title>Configuració</title> + <para> + Minimum configuration (in the <quote>[domain/DOMAINNAME]</quote> section): + </para> + <para> +<programlisting> +ldap_id_mapping = True +ldap_schema = ad +</programlisting> + </para> + <para> + The default configuration results in configuring 10,000 slices, each capable +of holding up to 200,000 IDs, starting from 200,000 and going up to +2,000,200,000. This should be sufficient for most deployments. + </para> + <refsect3 id='idmap_advanced_config'> + <title>Advanced Configuration</title> + <variablelist> + <varlistentry> + <term>ldap_idmap_range_min (enter)</term> + <listitem> + <para> + Specifies the lower (inclusive) bound of the range of POSIX IDs to use for +mapping Active Directory user and group SIDs. It is the first POSIX ID which +can be used for the mapping. + </para> + <para> + NOTE: This option is different from <quote>min_id</quote> in that +<quote>min_id</quote> acts to filter the output of requests to this domain, +whereas this option controls the range of ID assignment. This is a subtle +distinction, but the good general advice would be to have +<quote>min_id</quote> be less-than or equal to +<quote>ldap_idmap_range_min</quote> + </para> + <para> + Per defecte: 200000 + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>ldap_idmap_range_max (enter)</term> + <listitem> + <para> + Specifies the upper (exclusive) bound of the range of POSIX IDs to use for +mapping Active Directory user and group SIDs. It is the first POSIX ID which +cannot be used for the mapping anymore, i.e. one larger than the last one +which can be used for the mapping. + </para> + <para> + NOTE: This option is different from <quote>max_id</quote> in that +<quote>max_id</quote> acts to filter the output of requests to this domain, +whereas this option controls the range of ID assignment. This is a subtle +distinction, but the good general advice would be to have +<quote>max_id</quote> be greater-than or equal to +<quote>ldap_idmap_range_max</quote> + </para> + <para> + Per defecte: 2000200000 + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>ldap_idmap_range_size (enter)</term> + <listitem> + <para> + Specifies the number of IDs available for each slice. If the range size +does not divide evenly into the min and max values, it will create as many +complete slices as it can. + </para> + <para> + NOTE: The value of this option must be at least as large as the highest user +RID planned for use on the Active Directory server. User lookups and login +will fail for any user whose RID is greater than this value. + </para> + <para> + For example, if your most recently-added Active Directory user has +objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107, +<quote>ldap_idmap_range_size</quote> must be at least 1108 as range size is +equal to maximal SID minus minimal SID plus one (e.g. 1108 = 1107 - 0 + 1). + </para> + <para> + It is important to plan ahead for future expansion, as changing this value +will result in changing all of the ID mappings on the system, leading to +users with different local IDs than they previously had. + </para> + <para> + Per defecte: 200000 + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>ldap_idmap_default_domain_sid (cadena)</term> + <listitem> + <para> + Specify the domain SID of the default domain. This will guarantee that this +domain will always be assigned to slice zero in the ID map, bypassing the +murmurhash algorithm described above. + </para> + <para> + Per defecte: sense establir + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>ldap_idmap_default_domain (cadena)</term> + <listitem> + <para> + Specify the name of the default domain. + </para> + <para> + Per defecte: sense establir + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>ldap_idmap_autorid_compat (booleà)</term> + <listitem> + <para> + Changes the behavior of the ID-mapping algorithm to behave more similarly to +winbind's <quote>idmap_autorid</quote> algorithm. + </para> + <para> + When this option is configured, domains will be allocated starting with +slice zero and increasing monotonically with each additional domain. + </para> + <para> + NOTE: This algorithm is non-deterministic (it depends on the order that +users and groups are requested). If this mode is required for compatibility +with machines running winbind, it is recommended to also use the +<quote>ldap_idmap_default_domain_sid</quote> option to guarantee that at +least one domain is consistently allocated to slice zero. + </para> + <para> + Per defecte: False + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>ldap_idmap_helper_table_size (integer)</term> + <listitem> + <para> + Maximal number of secondary slices that is tried when performing mapping +from UNIX id to SID. + </para> + <para> + Note: Additional secondary slices might be generated when SID is being +mapped to UNIX id and RID part of SID is out of range for secondary slices +generated so far. If value of ldap_idmap_helper_table_size is equal to 0 +then no additional secondary slices are generated. + </para> + <para> + Per defecte: 10 + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect3> + </refsect2> + + <refsect2 id='well_known_sids'> + <title>Well-Known SIDs</title> + <para> + SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a +special hardcoded meaning. Since the generic users and groups related to +those Well-Known SIDs have no equivalent in a Linux/UNIX environment no +POSIX IDs are available for those objects. + </para> + <para> + The SID name space is organized in authorities which can be seen as +different domains. The authorities for the Well-Known SIDs are + <itemizedlist> + <listitem><para>Null Authority</para></listitem> + <listitem><para>World Authority</para></listitem> + <listitem><para>Local Authority</para></listitem> + <listitem><para>Creator Authority</para></listitem> + <listitem><para>Mandatory Label Authority</para></listitem> + <listitem><para>Authentication Authority</para></listitem> + <listitem><para>NT Authority</para></listitem> + <listitem><para>Built-in</para></listitem> + </itemizedlist> + The capitalized version of these names are used as domain names when +returning the fully qualified name of a Well-Known SID. + </para> + <para> + Since some utilities allow to modify SID based access control information +with the help of a name instead of using the SID directly SSSD supports to +look up the SID by the name as well. To avoid collisions only the fully +qualified names can be used to look up Well-Known SIDs. As a result the +domain names <quote>NULL AUTHORITY</quote>, <quote>WORLD AUTHORITY</quote>, +<quote>LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, +<quote>MANDATORY LABEL AUTHORITY</quote>, <quote>AUTHENTICATION +AUTHORITY</quote>, <quote>NT AUTHORITY</quote> and <quote>BUILTIN</quote> +should not be used as domain names in <filename>sssd.conf</filename>. + </para> + </refsect2> + +</refsect1> diff --git a/src/man/ca/include/ldap_search_bases.xml b/src/man/ca/include/ldap_search_bases.xml new file mode 100644 index 0000000..a97835a --- /dev/null +++ b/src/man/ca/include/ldap_search_bases.xml @@ -0,0 +1,31 @@ +<listitem> + <para> + An optional base DN, search scope and LDAP filter to restrict LDAP searches +for this attribute type. + </para> + <para> + syntax: <programlisting> +search_base[?scope?[filter][?search_base?scope?[filter]]*] +</programlisting> + </para> + <para> + The scope can be one of "base", "onelevel" or "subtree". The scope functions +as specified in section 4.5.1.2 of http://tools.ietf.org/html/rfc4511 + </para> + <para> + The filter must be a valid LDAP search filter as specified by +http://www.ietf.org/rfc/rfc2254.txt + </para> + <para> + For examples of this syntax, please refer to the +<quote>ldap_search_base</quote> examples section. + </para> + <para> + Per defecte: el valor de <emphasis>ldap_search_base</emphasis> + </para> + <para> + Please note that specifying scope or filter is not supported for searches +against an Active Directory Server that might yield a large number of +results and trigger the Range Retrieval extension in the response. + </para> +</listitem> diff --git a/src/man/ca/include/local.xml b/src/man/ca/include/local.xml new file mode 100644 index 0000000..38c058b --- /dev/null +++ b/src/man/ca/include/local.xml @@ -0,0 +1,17 @@ +<refsect1 id='local'> + <title>EL DOMINI LOCAL</title> + <para> + Per a un funcionament correcte, s'ha de crear un domini amb +<quote>id_provider=local</quote> i l'SSSD ha d'estar en execució. + </para> + <para> + L'administrador pot ser que vulgui utilitzar els usuaris locals de l'SSSD en +lloc dels usuaris tradicionals d'UNIX en els casos en què es requereixi la +imbricació dels grups (vegeu <citerefentry> +<refentrytitle>sss_groupadd</refentrytitle> <manvolnum>8</manvolnum> +</citerefentry>). Els usuaris locals també són útils per provar i desplegar +l'SSSD sense haver de desplegar tot un servidor remot. Les eines +<command>sss_user*</command> i <command>sss_group*</command> utilitzen +l'emmagatzematge LDB local per emmagatzemar els usuaris i els grups. + </para> +</refsect1> diff --git a/src/man/ca/include/override_homedir.xml b/src/man/ca/include/override_homedir.xml new file mode 100644 index 0000000..858b46f --- /dev/null +++ b/src/man/ca/include/override_homedir.xml @@ -0,0 +1,78 @@ +<varlistentry> +<term>override_homedir (cadena)</term> +<listitem> + <para> + Override the user's home directory. You can either provide an absolute value +or a template. In the template, the following sequences are substituted: +<variablelist> + <varlistentry> + <term>%u</term> + <listitem><para>nom d'usuari</para></listitem> + </varlistentry> + <varlistentry> + <term>%U</term> + <listitem><para>UID number</para></listitem> + </varlistentry> + <varlistentry> + <term>%d</term> + <listitem><para>domain name</para></listitem> + </varlistentry> + <varlistentry> + <term>%f</term> + <listitem><para>fully qualified user name (user@domain)</para></listitem> + </varlistentry> + <varlistentry> + <term>%l</term> + <listitem><para>The first letter of the login name.</para></listitem> + </varlistentry> + <varlistentry> + <term>%P</term> + <listitem><para>UPN - User Principal Name (name@REALM)</para></listitem> + </varlistentry> + <varlistentry> + <term>%o</term> + <listitem><para> + The original home directory retrieved from the identity provider. + </para></listitem> + </varlistentry> + <varlistentry> + <term>%h</term> + <listitem><para> + The original home directory retrieved from the identity provider, but in +lower case. + </para></listitem> + </varlistentry> + <varlistentry> + <term>%H</term> + <listitem><para> + The value of configure option <emphasis>homedir_substring</emphasis>. + </para></listitem> + </varlistentry> + <varlistentry> + <term>%%</term> + <listitem><para>a literal '%'</para> + </listitem> + </varlistentry> + </variablelist> + </para> + <para> + This option can also be set per-domain. + </para> + <para> + exemple: <programlisting> +override_homedir = /home/%u + </programlisting> + </para> + <para> + Default: Not set (SSSD will use the value retrieved from LDAP) + </para> + <para> + Please note, the home directory from a specific override for the user, +either locally (see +<citerefentry><refentrytitle>sss_override</refentrytitle> +<manvolnum>8</manvolnum></citerefentry>) or centrally managed IPA +id-overrides, has a higher precedence and will be used instead of the value +given by override_homedir. + </para> +</listitem> +</varlistentry> diff --git a/src/man/ca/include/param_help.xml b/src/man/ca/include/param_help.xml new file mode 100644 index 0000000..e7f3253 --- /dev/null +++ b/src/man/ca/include/param_help.xml @@ -0,0 +1,10 @@ +<varlistentry> + <term> + <option>-?</option>,<option>--help</option> + </term> + <listitem> + <para> + Mostra el missatge d'ajuda i surt. + </para> + </listitem> +</varlistentry> diff --git a/src/man/ca/include/param_help_py.xml b/src/man/ca/include/param_help_py.xml new file mode 100644 index 0000000..7c6afb5 --- /dev/null +++ b/src/man/ca/include/param_help_py.xml @@ -0,0 +1,10 @@ +<varlistentry> + <term> + <option>-h</option>,<option>--help</option> + </term> + <listitem> + <para> + Mostra el missatge d'ajuda i surt. + </para> + </listitem> +</varlistentry> diff --git a/src/man/ca/include/seealso.xml b/src/man/ca/include/seealso.xml new file mode 100644 index 0000000..eb1b27c --- /dev/null +++ b/src/man/ca/include/seealso.xml @@ -0,0 +1,49 @@ + <refsect1 id='see_also'> + <title>VEGEU TAMBÉ</title> + <para> + <citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> +</citerefentry>, <citerefentry> +<refentrytitle>sssd.conf</refentrytitle><manvolnum>5</manvolnum> +</citerefentry>, <citerefentry> +<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> +</citerefentry>, <citerefentry> +<refentrytitle>sssd-ldap-attributes</refentrytitle><manvolnum>5</manvolnum> +</citerefentry>, <citerefentry> +<refentrytitle>sssd-krb5</refentrytitle><manvolnum>5</manvolnum> +</citerefentry>, <citerefentry> +<refentrytitle>sssd-simple</refentrytitle><manvolnum>5</manvolnum> +</citerefentry>, <citerefentry> +<refentrytitle>sssd-ipa</refentrytitle><manvolnum>5</manvolnum> +</citerefentry>, <citerefentry> +<refentrytitle>sssd-ad</refentrytitle><manvolnum>5</manvolnum> +</citerefentry>, <phrase condition="with_files_provider"> <citerefentry> +<refentrytitle>sssd-files</refentrytitle><manvolnum>5</manvolnum> +</citerefentry>, </phrase> <phrase condition="with_sudo"> <citerefentry> +<refentrytitle>sssd-sudo</refentrytitle> <manvolnum>5</manvolnum> +</citerefentry>, </phrase> <citerefentry> +<refentrytitle>sssd-session-recording</refentrytitle> +<manvolnum>5</manvolnum> </citerefentry>, <citerefentry> +<refentrytitle>sss_cache</refentrytitle><manvolnum>8</manvolnum> +</citerefentry>, <citerefentry> +<refentrytitle>sss_debuglevel</refentrytitle><manvolnum>8</manvolnum> +</citerefentry>, <citerefentry> +<refentrytitle>sss_obfuscate</refentrytitle><manvolnum>8</manvolnum> +</citerefentry>, <citerefentry> +<refentrytitle>sss_seed</refentrytitle><manvolnum>8</manvolnum> +</citerefentry>, <citerefentry> +<refentrytitle>sssd_krb5_locator_plugin</refentrytitle><manvolnum>8</manvolnum> +</citerefentry>, <phrase condition="with_ssh"> <citerefentry> +<refentrytitle>sss_ssh_authorizedkeys</refentrytitle> +<manvolnum>8</manvolnum> </citerefentry>, <citerefentry> +<refentrytitle>sss_ssh_knownhostsproxy</refentrytitle> +<manvolnum>8</manvolnum> </citerefentry>, </phrase> <phrase +condition="with_ifp"> <citerefentry> <refentrytitle>sssd-ifp</refentrytitle> +<manvolnum>5</manvolnum> </citerefentry>, </phrase> <citerefentry> +<refentrytitle>pam_sss</refentrytitle><manvolnum>8</manvolnum> +</citerefentry>. <citerefentry> +<refentrytitle>sss_rpcidmapd</refentrytitle> <manvolnum>5</manvolnum> +</citerefentry> <phrase condition="with_stap"> <citerefentry> +<refentrytitle>sssd-systemtap</refentrytitle> <manvolnum>5</manvolnum> +</citerefentry> </phrase> + </para> + </refsect1> diff --git a/src/man/ca/include/service_discovery.xml b/src/man/ca/include/service_discovery.xml new file mode 100644 index 0000000..032d52c --- /dev/null +++ b/src/man/ca/include/service_discovery.xml @@ -0,0 +1,41 @@ +<refsect1 id='service_discovery'> + <title>SERVICE DISCOVERY</title> + <para> + The service discovery feature allows back ends to automatically find the +appropriate servers to connect to using a special DNS query. This feature is +not supported for backup servers. + </para> + <refsect2 id='configuration'> + <title>Configuració</title> + <para> + If no servers are specified, the back end automatically uses service +discovery to try to find a server. Optionally, the user may choose to use +both fixed server addresses and service discovery by inserting a special +keyword, <quote>_srv_</quote>, in the list of servers. The order of +preference is maintained. This feature is useful if, for example, the user +prefers to use service discovery whenever possible, and fall back to a +specific server when no servers can be discovered using DNS. + </para> + </refsect2> + <refsect2 id='domain_name'> + <title>El nom del domini</title> + <para> + Please refer to the <quote>dns_discovery_domain</quote> parameter in the +<citerefentry> <refentrytitle>sssd.conf</refentrytitle> +<manvolnum>5</manvolnum> </citerefentry> manual page for more details. + </para> + </refsect2> + <refsect2 id='search_protocol'> + <title>El protocol</title> + <para> + The queries usually specify _tcp as the protocol. Exceptions are documented +in respective option description. + </para> + </refsect2> + <refsect2 id='reference'> + <title>Vegeu també</title> + <para> + For more information on the service discovery mechanism, refer to RFC 2782. + </para> + </refsect2> +</refsect1> diff --git a/src/man/ca/include/upstream.xml b/src/man/ca/include/upstream.xml new file mode 100644 index 0000000..2a4ad16 --- /dev/null +++ b/src/man/ca/include/upstream.xml @@ -0,0 +1,3 @@ +<refentryinfo> +<productname>SSSD</productname> <orgname>The SSSD upstream - +https://github.com/SSSD/sssd/</orgname></refentryinfo> diff --git a/src/man/ca/sss_obfuscate.8.xml b/src/man/ca/sss_obfuscate.8.xml new file mode 100644 index 0000000..83cc0b0 --- /dev/null +++ b/src/man/ca/sss_obfuscate.8.xml @@ -0,0 +1,98 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN" +"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> +<reference> +<title>Pàgines del manual de l'SSSD</title> +<refentry> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" /> + + <refmeta> + <refentrytitle>sss_obfuscate</refentrytitle> + <manvolnum>8</manvolnum> + </refmeta> + + <refnamediv id='name'> + <refname>sss_obfuscate</refname> + <refpurpose>ofusca una contrasenya en text clar</refpurpose> + </refnamediv> + + <refsynopsisdiv id='synopsis'> + <cmdsynopsis> +<command>sss_obfuscate</command> <arg choice='opt'> +<replaceable>opcions</replaceable> </arg> <arg +choice='plain'><replaceable>[PASSWORD]</replaceable></arg></cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id='description'> + <title>DESCRIPCIÓ</title> + <para> + <command>sss_obfuscate</command> converteix una contrasenya especificada a +un format illegible per als humans i la posa a la secció del domini adequat +del fitxer de configuració de l'SSSD. + </para> + <para> + La contrasenya en text clar es llegeix de l'entrada estàndard o s'introdueix +de forma interactiva. La contrasenya ofuscada es fica al paràmetre +<quote>ldap_default_authtok</quote> del domini SSSD indicat, i el paràmetre +<quote>ldap_default_authtok_type</quote> s'estableix a +<quote>obfuscated_password</quote>. Consulteu <citerefentry> +<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> +</citerefentry> per a més detalls sobre aquests paràmetres. + </para> + <para> + Tingueu en compte que ofuscar les contrasenyes <emphasis>no proporciona cap +benefici real de seguretat</emphasis>, ja que un atacant encara podria +extreure la contrasenya amb enginyeria inversa. Es recomana +<emphasis>aferrissadament</emphasis> l'ús de mecanismes d'autenticació +millors com els certificats al cantó del client o el GSSAPI. + </para> + </refsect1> + + <refsect1 id='options'> + <title>OPCIONS</title> + <variablelist remap='IP'> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/param_help_py.xml" /> + <varlistentry> + <term> + <option>-s</option>,<option>--stdin</option> + </term> + <listitem> + <para> + La contrasenya per ofuscar es llegirà de l'entrada estàndard. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>-d</option>,<option>--domain</option> +<replaceable>DOMINI</replaceable> + </term> + <listitem> + <para> + El domini SSSD on s'utilitza la contrasenya. El nom per defecte és +<quote>default</quote>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>-f</option>,<option>--file</option> +<replaceable>FITXER</replaceable> + </term> + <listitem> + <para> + Llegeix el fitxer de configuració que s'especifica amb el paràmetre +posicional. + </para> + <para> + Per defecte: <filename>/etc/sssd/sssd.conf</filename> + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" /> + +</refentry> +</reference> diff --git a/src/man/ca/sss_rpcidmapd.5.xml b/src/man/ca/sss_rpcidmapd.5.xml new file mode 100644 index 0000000..ea4f529 --- /dev/null +++ b/src/man/ca/sss_rpcidmapd.5.xml @@ -0,0 +1,113 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN" +"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> +<reference> +<title>Pàgines del manual de l'SSSD</title> +<refentry> + <refentryinfo> +<productname>sss rpc.idmapd plugin</productname> <author> +<firstname>Noam</firstname> <surname>Meltzer</surname> <affiliation> +<orgname>Primary Data Inc.</orgname> </affiliation> <contrib>Desenvolupador +(2013-2014)</contrib> </author> <author> <firstname>Noam</firstname> +<surname>Meltzer</surname> <contrib>Desenvolupador (2014-)</contrib> +<email>tsnoam@gmail.com</email> </author></refentryinfo> + + <refmeta> + <refentrytitle>sss_rpcidmapd</refentrytitle> + <manvolnum>5</manvolnum> + <refmiscinfo class="manual">Formats i convencions dels fitxers</refmiscinfo> + </refmeta> + + <refnamediv id='name'> + <refname>sss_rpcidmapd</refname> + <refpurpose>les directrius de configuració del complement sss per al rpc.idmapd</refpurpose> + </refnamediv> + + <refsect1 id='conf-file'> + <title>FITXER DE CONFIGURACIÓ</title> + <para> + El fitxer de configuració rpc.idmapd normalment es troba a +<emphasis>/etc/idmapd.conf</emphasis>. Vegeu <citerefentry> +<refentrytitle>idmapd.conf</refentrytitle> <manvolnum>5</manvolnum> +</citerefentry> per més informació. + </para> + </refsect1> + + <refsect1 id='sss-conf-extension'> + <title>AMPLIACIÓ DE LA CONFIGURACIÓ DE L'SSS</title> + <refsect2 id='enable-sss'> + <title>Habilita el complement SSS</title> + <para> + En la secció <quote>[Translation]</quote>, modifiqueu o establiu l'atribut +<quote>Method</quote> per abastar <emphasis>sss</emphasis>. + </para> + </refsect2> + <refsect2 id='sss-conf-sect'> + <title>Secció de configuració [sss]</title> + <para> + Per canviar el valor per defecte d'un dels atributs de configuració del +connector de l'<emphasis>sss</emphasis> que es llisten a continuació, +necessitareu crear-li una secció de configuració, anomenada +<quote>[sss]</quote>. + </para> + <variablelist> + <title>Atributs de configuració</title> + <varlistentry> + <term>memcache (booleà)</term> + <listitem> + <para> + Indica si s'utilitza o no la tècnica d'optimització de la memòria cau. + </para> + <para> + Per defecte: True + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect2> + </refsect1> + + <refsect1 id='sssd-integration'> + <title>INTEGRACIÓ DE L'SSSD</title> + <para> + El connector sss requereix que s'habiliti el <emphasis>contestador del +NSS</emphasis> al sssd. + </para> + <para> + L'atribut <quote>use_fully_qualified_names</quote> ha d'estar habilitat en +tots els dominis (els clients de NFSv4 esperen un FQN per a ser enviats al +cable). + </para> + </refsect1> + + <refsect1 id='example'> + <title>EXEMPLE</title> + <para> + En el següent exemple es mostra un idmapd.conf mínim que fa ús del connector +sss. <programlisting> +[General] +Verbosity = 2 +# el domini ha de sincronitzar-se entre el servidor i els clients del NFSv4 +# Solaris/Illumos/AIX utilitzen "localdomain" com a predeterminat! +Domain = default + +[Mapping] +Nobody-User = nfsnobody +Nobody-Group = nfsnobody + +[Translation] +Method = sss +</programlisting> + </para> + </refsect1> + + <refsect1 id='see_also'> + <title>VEGEU TAMBÉ</title> + <para> + <citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> +</citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> +<manvolnum>5</manvolnum> </citerefentry> + </para> + </refsect1> +</refentry> +</reference> diff --git a/src/man/ca/sss_seed.8.xml b/src/man/ca/sss_seed.8.xml new file mode 100644 index 0000000..b63af2c --- /dev/null +++ b/src/man/ca/sss_seed.8.xml @@ -0,0 +1,169 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN" +"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> +<reference> +<title>Pàgines del manual de l'SSSD</title> +<refentry> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" /> + + <refmeta> + <refentrytitle>sss_seed</refentrytitle> + <manvolnum>8</manvolnum> + </refmeta> + + <refnamediv id='name'> + <refname>sss_seed</refname> + <refpurpose>implanta la memòria cau de l'SSSD amb un usuari</refpurpose> + </refnamediv> + + <refsynopsisdiv id='synopsis'> + <cmdsynopsis> +<command>sss_seed</command> <arg choice='opt'> +<replaceable>opcions</replaceable> </arg> <arg choice='plain'>-D +<replaceable>DOMINI</replaceable></arg> <arg choice='plain'>-n +<replaceable>USUARI</replaceable></arg></cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id='description'> + <title>DESCRIPCIÓ</title> + <para> + <command>sss_seed</command> implanta la memòria cau de l'SSSD amb una +entrada d'un usuari i la contrasenya temporal. Si l'entrada d'un usuari ja +està present a la memòria cau de l'SSSD aleshores s'actualitza l'entrada amb +la contrasenya temporal. + </para> + <para> + </para> + </refsect1> + + <refsect1 id='options'> + <title>OPCIONS</title> + <variablelist remap='IP'> + <varlistentry> + <term> + <option>-D</option>,<option>--domain</option> +<replaceable>DOMINI</replaceable> + </term> + <listitem> + <para> + Proporciona el nom del domini en el qual l'usuari n'és membre. El domini +també s'utilitza per recuperar la informació de l'usuari. El domini ha +d'estar configurat a l'sssd.conf. S'ha de proporcionar l'opció del +<replaceable>DOMINI</replaceable>. La informació recuperada del domini +anul·la aquella que es proporcioni a les opcions. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>-n</option>,<option>--username</option> +<replaceable>USER</replaceable> + </term> + <listitem> + <para> + L'entrada del nom d'usuari a crear o modificar a la memòria cau. S'ha de +proporcionar l'opció de l'<replaceable>USUARI</replaceable>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable> + </term> + <listitem> + <para> + Estableix l'UID de l'usuari a <replaceable>UID</replaceable>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable> + </term> + <listitem> + <para> + Estableix el GID de l'usuari a <replaceable>GID</replaceable>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>-c</option>,<option>--gecos</option> +<replaceable>COMMENTARI</replaceable> + </term> + <listitem> + <para> + Qualsevol cadena de text amb la descripció de l'usuari. Sovint s'utilitza +com a camp per al nom complet de l'usuari. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>-h</option>,<option>--home</option> +<replaceable>DIRECTORI_INICIAL</replaceable> + </term> + <listitem> + <para> + Establix el directori inicial de l'usuari a +<replaceable>DIRECTORI_INICIAL</replaceable>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>-s</option>,<option>--shell</option> +<replaceable>SHELL</replaceable> + </term> + <listitem> + <para> + Estableix el shell d'inici de sessió de l'usuari a +<replaceable>SHELL</replaceable>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>-i</option>,<option>--interactive</option> + </term> + <listitem> + <para> + Mode interactiu per a la introducció de la informació de l'usuari. Aquesta +opció només demanà la informació no proporcionada a les opcions o que no es +recuperi del domini. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>-p</option>,<option>--password-file</option> +<replaceable>FITXER_CONTRASENYA</replaceable> + </term> + <listitem> + <para> + Especifica el fitxer des d'on llegir la contrasenya de l'usuari. (si no +s'especifica, es demana per la contrasenya) + </para> + </listitem> + </varlistentry> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/param_help.xml" /> + </variablelist> + </refsect1> + + <refsect1 id='notes'> + <title>NOTES</title> + <para> + La longitud de la contrasenya (o la mida del fitxer que s'especifica amb +l'opció -p o --password-file) ha de ser més petita o igual que PASS_MAX +bytes (64 bytes en els sistemes que no defineixen globalment el valor de +PASS_MAX). + </para> + <para> + </para> + </refsect1> + + + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" /> + +</refentry> +</reference> diff --git a/src/man/ca/sssd-simple.5.xml b/src/man/ca/sssd-simple.5.xml new file mode 100644 index 0000000..8a80d56 --- /dev/null +++ b/src/man/ca/sssd-simple.5.xml @@ -0,0 +1,154 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN" +"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> +<reference> +<title>Pàgines del manual de l'SSSD</title> +<refentry> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" /> + + <refmeta> + <refentrytitle>sssd-simple</refentrytitle> + <manvolnum>5</manvolnum> + <refmiscinfo class="manual">Formats i convencions dels fitxers</refmiscinfo> + </refmeta> + + <refnamediv id='name'> + <refname>sssd-simple</refname> + <refpurpose>el fitxer de configuració per al proveïdor de control d'accés 'simple' de +l'SSSD</refpurpose> + </refnamediv> + + <refsect1 id='description'> + <title>DESCRIPCIÓ</title> + <para> + En aquesta pàgina del manual es descriu la configuració del proveïdor de +control d'accés simple per a <citerefentry> +<refentrytitle>sssd</refentrytitle> +<manvolnum>8</manvolnum></citerefentry>. Per a una referència detallada de +la sintaxi, aneu a la secció <quote>FORMAT DEL FITXER</quote> de la pàgina +del manual <citerefentry> <refentrytitle>sssd.conf</refentrytitle> +<manvolnum>5</manvolnum> </citerefentry>. + </para> + <para> + El proveïdor d'accés simple concedeix o denega l'accés basat en una llista +d'accés o denegació dels noms dels usuaris o dels noms dels +grups. S'apliquen les regles següents: + <itemizedlist> + <listitem> + <para>Si totes les llistes estan buides, es concedeix l'accés</para> + </listitem> + <listitem> + <para> + Si es proporciona alguna llista, l'ordre d'avaluació és permissió, +denegació. Això vol dir que qualsevol coincidència amb la regla de denegació +reemplaçarà qualsevol coincidència amb la regla de permissió. + </para> + </listitem> + <listitem> + <para> + Si es proporcionen una o ambdues llistes de "permissió", tots els usuaris +són denegats excepte els que apareixen a la llista. + </para> + </listitem> + <listitem> + <para> + Si només es proporcionen llistes de "denegació", es concedeix l'accés a tots +els usuaris excepte els que apareixen a la llista. + </para> + </listitem> + </itemizedlist> + </para> + </refsect1> + + <refsect1 id='configuration-options'> + <title>OPCIONS DE CONFIGURACIÓ</title> + <para>Per a més informació sobre la configuració d'un domini SSSD, consulteu la +secció <quote>SECCIONS DELS DOMINIS</quote> de la pàgina del manual +<citerefentry> <refentrytitle>sssd.conf</refentrytitle> +<manvolnum>5</manvolnum> </citerefentry>. <variablelist> + <varlistentry> + <term>simple_allow_users (cadena)</term> + <listitem> + <para> + Llista separada per comes dels usuaris a qui se'ls permet iniciar la sessió. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>simple_deny_users (cadena)</term> + <listitem> + <para> + Llista separada per comes dels usuaris a qui se'ls denega explícitament +l'accés. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>simple_allow_groups (cadena)</term> + <listitem> + <para> + Llista separada per comes dels grups a qui se'ls permet iniciar la +sessió. Això s'aplica únicament als grups dins d'aquest domini SSSD. No +s'avaluen els grups locals. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>simple_deny_groups (cadena)</term> + <listitem> + <para> + Llista separada per comes dels grups a qui se'ls denega explícitament +l'accés. Això s'aplica únicament als grups dins d'aquest domini SSSD. No +s'avaluen els grups locals. + </para> + </listitem> + </varlistentry> + </variablelist> + </para> + <para> + Specifying no values for any of the lists is equivalent to skipping it +entirely. Beware of this while generating parameters for the simple provider +using automated scripts. + </para> + <para> + Si us plau, tingueu en compte que és un error de configuració si es +defineixen alhora simple_allow_users i simple_deny_users. + </para> + </refsect1> + + <refsect1 id='example'> + <title>EXEMPLE</title> + <para> + En el següent exemple s'assumeix que l'SSD està configurat correctament i +que exemple.com és un dels dominis de la secció +<replaceable>[sssd]</replaceable>. En aquest exemple es mostren únicament +les opcions específiques del proveïdor d'accés simple. + </para> + <para> +<programlisting> +[domini/exemple.com] +access_provider = simple +simple_allow_users = usuari1, usuari2 +</programlisting> + </para> + </refsect1> + + <refsect1 id='notes'> + <title>NOTES</title> + <para> + La jerarquia completa de la pertinença a un grup es resol abans de la +comprovació de l'accés, de manera que fins i tot els grups imbricats es +poden incloure a les llistes d'accés. Si us plau, tingueu cura que l'opció +<quote>ldap_group_nesting_level</quote> pot influir amb els resultats i s'ha +d'establir amb un valor suficient. L'opció (<citerefentry> +<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> +</citerefentry>). + </para> + </refsect1> + + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/seealso.xml" /> + +</refentry> +</reference> |