summaryrefslogtreecommitdiffstats
path: root/src/man/sssd.conf.5.xml
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/man/sssd.conf.5.xml61
1 files changed, 56 insertions, 5 deletions
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index e7a8cbd..fbb82e3 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
-"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"
+<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.5//EN"
+"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"
[
<!ENTITY sssd_user_name SYSTEM "sssd_user_name.include">
]>
@@ -1684,7 +1684,7 @@ pam_account_locked_message = Account locked, please contact help desk.
Enable passkey device based authentication.
</para>
<para>
- Default: False
+ Default: True
</para>
</listitem>
</varlistentry>
@@ -1793,7 +1793,7 @@ pam_cert_verification = partial_chain
</listitem>
</varlistentry>
<varlistentry>
- <term>pam_p11_allowed_services (integer)</term>
+ <term>pam_p11_allowed_services (string)</term>
<listitem>
<para>
A comma-separated list of PAM service names for
@@ -3774,6 +3774,25 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
</varlistentry>
<varlistentry>
+ <term>failover_primary_timeout (integer)</term>
+ <listitem>
+ <para>
+ When no primary server is currently available,
+ SSSD fail overs to a backup server. This option
+ defines the amount of time (in seconds) to
+ wait before SSSD tries to reconnect to a primary
+ server again.
+ </para>
+ <para>
+ Note: The minimum value is 31.
+ </para>
+ <para>
+ Default: 31
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term>override_gid (integer)</term>
<listitem>
<para>
@@ -3996,7 +4015,9 @@ subdomain_inherit = ldap_purge_cache_timeout
two-factor authentication (IPA), or other methods
against a central instance. By default in such cases
authentication is only performed with the methods
- supported by the backend.
+ supported by the backend. With this option additional
+ methods can be enabled which are evaluated and checked
+ locally.
</para>
<para>
There are three possible values for this option:
@@ -4010,6 +4031,36 @@ subdomain_inherit = ldap_purge_cache_timeout
should be comma-separated, such as
<quote>enable:passkey, enable:smartcard</quote>
</para>
+
+ <para>
+ The following table shows which authentication
+ methods, if configured properly, are currently enabled
+ or disabled for each backend, with the default
+ local_auth_policy: <quote>match</quote>
+ </para>
+ <informaltable frame='all'>
+ <tgroup cols='3'>
+ <colspec colname='c1' align='center'/>
+ <colspec colname='c2' align='center'/>
+ <colspec colname='c3' align='center'/>
+
+ <thead>
+ <row><entry namest='c1' nameend='c3' align='center'>
+ local_auth_policy = match (default)</entry></row>
+ <row><entry></entry><entry>Passkey</entry>
+ <entry>Smartcard</entry></row>
+ </thead>
+ <tbody>
+ <row><entry>IPA</entry><entry>enabled</entry>
+ <entry><para>enabled</para>
+ </entry></row>
+ <row><entry>AD</entry><entry>disabled</entry>
+ <entry><para>enabled</para></entry>
+ </row>
+ <row><entry>LDAP</entry><entry>disabled</entry>
+ <entry><para>disabled</para></entry>
+ </row>
+ </tbody></tgroup></informaltable>
<para>
Please note that if local Smartcard authentication
is enabled and a Smartcard is present, Smartcard