From ed95a928eb095f8585bf216a05182a3e30cc9886 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Mon, 20 May 2024 17:22:34 +0200
Subject: Adding upstream version 2.9.5.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 src/man/sssd.conf.5.xml | 61 +++++++++++++++++++++++++++++++++++++++++++++----
 1 file changed, 56 insertions(+), 5 deletions(-)

(limited to 'src/man/sssd.conf.5.xml')

diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
index e7a8cbd..fbb82e3 100644
--- a/src/man/sssd.conf.5.xml
+++ b/src/man/sssd.conf.5.xml
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
-"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"
+<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.5//EN"
+"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"
 [
 <!ENTITY sssd_user_name SYSTEM "sssd_user_name.include">
 ]>
@@ -1684,7 +1684,7 @@ pam_account_locked_message = Account locked, please contact help desk.
                             Enable passkey device based authentication.
                         </para>
                         <para>
-                            Default: False
+                            Default: True
                         </para>
                     </listitem>
                 </varlistentry>
@@ -1793,7 +1793,7 @@ pam_cert_verification = partial_chain
                     </listitem>
                 </varlistentry>
                 <varlistentry>
-                    <term>pam_p11_allowed_services (integer)</term>
+                    <term>pam_p11_allowed_services (string)</term>
                     <listitem>
                         <para>
                             A comma-separated list of PAM service names for
@@ -3773,6 +3773,25 @@ pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit
                     </listitem>
                 </varlistentry>
 
+                <varlistentry>
+                    <term>failover_primary_timeout (integer)</term>
+                    <listitem>
+                        <para>
+                            When no primary server is currently available,
+                            SSSD fail overs to a backup server. This option
+                            defines the amount of time (in seconds) to
+                            wait before SSSD tries to reconnect to a primary
+                            server again.
+                        </para>
+                        <para>
+                            Note: The minimum value is 31.
+                        </para>
+                        <para>
+                            Default: 31
+                        </para>
+                    </listitem>
+                </varlistentry>
+
                 <varlistentry>
                     <term>override_gid (integer)</term>
                     <listitem>
@@ -3996,7 +4015,9 @@ subdomain_inherit = ldap_purge_cache_timeout
                             two-factor authentication (IPA), or other methods
                             against a central instance. By default in such cases
                             authentication is only performed with the methods
-                            supported by the backend.
+                            supported by the backend. With this option additional
+                            methods can be enabled which are evaluated and checked
+                            locally.
                         </para>
                         <para>
                             There are three possible values for this option:
@@ -4010,6 +4031,36 @@ subdomain_inherit = ldap_purge_cache_timeout
                             should be comma-separated, such as
                             <quote>enable:passkey, enable:smartcard</quote>
                         </para>
+
+                        <para>
+                            The following table shows which authentication
+                            methods, if configured properly, are currently enabled
+                             or disabled for each backend, with the default
+                             local_auth_policy: <quote>match</quote>
+                        </para>
+                        <informaltable frame='all'>
+                        <tgroup cols='3'>
+                        <colspec colname='c1' align='center'/>
+                        <colspec colname='c2' align='center'/>
+                        <colspec colname='c3' align='center'/>
+
+                        <thead>
+                        <row><entry namest='c1' nameend='c3' align='center'>
+                            local_auth_policy = match (default)</entry></row>
+                        <row><entry></entry><entry>Passkey</entry>
+                            <entry>Smartcard</entry></row>
+                        </thead>
+                        <tbody>
+                        <row><entry>IPA</entry><entry>enabled</entry>
+                            <entry><para>enabled</para>
+                            </entry></row>
+                        <row><entry>AD</entry><entry>disabled</entry>
+                            <entry><para>enabled</para></entry>
+                            </row>
+                        <row><entry>LDAP</entry><entry>disabled</entry>
+                            <entry><para>disabled</para></entry>
+                            </row>
+                        </tbody></tgroup></informaltable>
                         <para>
                             Please note that if local Smartcard authentication
                             is enabled and a Smartcard is present, Smartcard
-- 
cgit v1.2.3