#: sssd.conf.5.xml:8 sssd-ldap.5.xml:5 pam_sss.8.xml:5 pam_sss_gss.8.xml:5 #: sssd_krb5_locator_plugin.8.xml:5 sssd-simple.5.xml:5 sss-certmap.5.xml:5 #: sssd-ipa.5.xml:5 sssd-ad.5.xml:5 sssd-sudo.5.xml:5 sssd.8.xml:5 #: sss_obfuscate.8.xml:5 sss_override.8.xml:5 sssd-krb5.5.xml:5 #: sss_cache.8.xml:5 sss_debuglevel.8.xml:5 sss_seed.8.xml:5 sssd-ifp.5.xml:5 #: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5 #: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5 #: sssd-files.5.xml:5 sssd-session-recording.5.xml:5 sssd-kcm.8.xml:5 #: sssd-systemtap.5.xml:5 sssd-ldap-attributes.5.xml:5 #: sssd_krb5_localauth_plugin.8.xml:5 msgid "SSSD Manual pages" msgstr "Manuálové stránky SSSD" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssd.conf.5.xml:13 sssd.conf.5.xml:19 msgid "sssd.conf" msgstr "sssd.conf" # auto translated by TM merge from project: Fedora Elections Guide, version: # master, DocId: Methods #. type: Content of: <reference><refentry><refmeta><manvolnum> #: sssd.conf.5.xml:14 sssd-ldap.5.xml:11 sssd-simple.5.xml:11 #: sss-certmap.5.xml:11 sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 #: sssd-krb5.5.xml:11 sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27 #: sssd-files.5.xml:11 sssd-session-recording.5.xml:11 sssd-systemtap.5.xml:11 #: sssd-ldap-attributes.5.xml:11 msgid "5" msgstr "5" #. type: Content of: <reference><refentry><refmeta><refmiscinfo> #: sssd.conf.5.xml:15 sssd-ldap.5.xml:12 sssd-simple.5.xml:12 #: sss-certmap.5.xml:12 sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 #: sssd-krb5.5.xml:12 sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28 #: sssd-files.5.xml:12 sssd-session-recording.5.xml:12 sssd-kcm.8.xml:12 #: sssd-systemtap.5.xml:12 sssd-ldap-attributes.5.xml:12 msgid "File Formats and Conventions" msgstr "Formáty souborů a konvence" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sssd.conf.5.xml:20 msgid "the configuration file for SSSD" msgstr "soubor s nastaveními pro SSSD" #. type: Content of: <reference><refentry><refsect1><title> #: sssd.conf.5.xml:24 msgid "FILE FORMAT" msgstr "FORMÁT SOUBORU" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd.conf.5.xml:32 #, no-wrap msgid "" "<replaceable>[section]</replaceable>\n" "<replaceable>key</replaceable> = <replaceable>value</replaceable>\n" "<replaceable>key2</replaceable> = <replaceable>value2,value3</replaceable>\n" " " msgstr "" "<replaceable>[sekce]</replaceable>\n" "<replaceable>klíč</replaceable> = <replaceable>hodnota</replaceable>\n" "<replaceable>klíč2</replaceable> = <replaceable>hodnota2,hodnota3</replaceable>\n" " " #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:27 msgid "" "The file has an ini-style syntax and consists of sections and parameters. A " "section begins with the name of the section in square brackets and continues " "until the next section begins. An example of section with single and multi-" "valued parameters: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" "Forma zápisu v souboru je ve stylu ini a sestává se ze sekcí a parametrů. " "Sekce začíná jejím názvem (v hranatých závorkách) a pokračuje až po začátek " "následující sekce. Příklad jedné sekce s jedno a vícehodnotovými parametry: " "<placeholder type=\"programlisting\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:39 msgid "" "The data types used are string (no quotes needed), integer and bool (with " "values of <quote>TRUE/FALSE</quote>)." msgstr "" "Používané datové typy jsou řetězce (není třeba obklopovat uvozovkami), celá " "čísla bolean (s hodnotami <quote>TRUE/FALSE</quote>)." #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:44 msgid "" "A comment line starts with a hash sign (<quote>#</quote>) or a semicolon " "(<quote>;</quote>). Inline comments are not supported." msgstr "" "Řádek s komentářem začíná na znak # (křížek) (<quote>#</quote>) nebo " "středník (<quote>;</quote>). Komentáře v rámci řádku nejsou podporovány." #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:50 msgid "" "All sections can have an optional <replaceable>description</replaceable> " "parameter. Its function is only as a label for the section." msgstr "" "Všechny sekce mohou mít volitelný <replaceable>popis</replaceable> " "parametry. Jeho funkcí je pouze oštítkování sekce." #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:56 msgid "" "<filename>sssd.conf</filename> must be a regular file, owned by root and " "only root may read from or write to the file." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd.conf.5.xml:62 msgid "CONFIGURATION SNIPPETS FROM INCLUDE DIRECTORY" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:65 msgid "" "The configuration file <filename>sssd.conf</filename> will include " "configuration snippets using the include directory <filename>conf.d</" "filename>. This feature is available if SSSD was compiled with libini " "version 1.3.0 or later." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:72 msgid "" "Any file placed in <filename>conf.d</filename> that ends in " "<quote><filename>.conf</filename></quote> and does not begin with a dot " "(<quote>.</quote>) will be used together with <filename>sssd.conf</filename> " "to configure SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:80 msgid "" "The configuration snippets from <filename>conf.d</filename> have higher " "priority than <filename>sssd.conf</filename> and will override " "<filename>sssd.conf</filename> when conflicts occur. If several snippets are " "present in <filename>conf.d</filename>, then they are included in " "alphabetical order (based on locale). Files included later have higher " "priority. Numerical prefixes (<filename>01_snippet.conf</filename>, " "<filename>02_snippet.conf</filename> etc.) can help visualize the priority " "(higher number means higher priority)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:94 msgid "" "The snippet files require the same owner and permissions as <filename>sssd." "conf</filename>. Which are by default root:root and 0600." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd.conf.5.xml:101 msgid "GENERAL OPTIONS" msgstr "OBECNÉ VOLBY" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:103 msgid "Following options are usable in more than one configuration sections." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd.conf.5.xml:107 msgid "Options usable in all sections" msgstr "Volby použitelné ve všech sekcích" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:111 msgid "debug_level (integer)" msgstr "debug_level (celé kladné číslo)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:115 msgid "debug (integer)" msgstr "debug (celé kladné číslo)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:118 msgid "" "SSSD 1.14 and later also includes the <replaceable>debug</replaceable> alias " "for <replaceable>debug_level</replaceable> as a convenience feature. If both " "are specified, the value of <replaceable>debug_level</replaceable> will be " "used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:128 msgid "debug_timestamps (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:131 msgid "" "Add a timestamp to the debug messages. If journald is enabled for SSSD " "debug logging this option is ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:136 sssd.conf.5.xml:173 sssd.conf.5.xml:358 #: sssd.conf.5.xml:714 sssd.conf.5.xml:729 sssd.conf.5.xml:952 #: sssd.conf.5.xml:1070 sssd.conf.5.xml:2198 sssd-ldap.5.xml:1073 #: sssd-ldap.5.xml:1176 sssd-ldap.5.xml:1245 sssd-ldap.5.xml:1752 #: sssd-ldap.5.xml:1817 sssd-ipa.5.xml:347 sssd-ad.5.xml:252 sssd-ad.5.xml:366 #: sssd-ad.5.xml:1200 sssd-ad.5.xml:1353 sssd-krb5.5.xml:358 msgid "Default: true" msgstr "Výchozí: true (pravda)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:141 msgid "debug_microseconds (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:144 msgid "" "Add microseconds to the timestamp in debug messages. If journald is enabled " "for SSSD debug logging this option is ignored." msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:149 sssd.conf.5.xml:652 sssd.conf.5.xml:949 #: sssd.conf.5.xml:2101 sssd.conf.5.xml:2168 sssd.conf.5.xml:4244 #: sssd-ldap.5.xml:313 sssd-ldap.5.xml:919 sssd-ldap.5.xml:938 #: sssd-ldap.5.xml:1148 sssd-ldap.5.xml:1601 sssd-ldap.5.xml:1841 #: sssd-ipa.5.xml:152 sssd-ipa.5.xml:254 sssd-ipa.5.xml:662 sssd-ad.5.xml:1106 #: sssd-krb5.5.xml:268 sssd-krb5.5.xml:330 sssd-krb5.5.xml:432 #: include/krb5_options.xml:163 msgid "Default: false" msgstr "Výchozí: false (nepravda)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:154 msgid "debug_backtrace_enabled (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:157 msgid "Enable debug backtrace." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:160 msgid "" "In case SSSD is run with debug_level less than 9, everything is logged to a " "ring buffer in memory and flushed to a log file on any error up to and " "including `min(0x0040, debug_level)` (i.e. if debug_level is explicitly set " "to 0 or 1 then only those error levels will trigger backtrace, otherwise up " "to 2)." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:169 msgid "" "Feature is only supported for `logger == files` (i.e. setting doesn't have " "effect for other logger types)." msgstr "" #. type: Content of: outside any tag (error?) #: sssd.conf.5.xml:109 sssd.conf.5.xml:184 sssd-ldap.5.xml:1658 #: sssd-ldap.5.xml:1864 sss-certmap.5.xml:645 sssd-systemtap.5.xml:82 #: sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:236 sssd-systemtap.5.xml:274 #: sssd-systemtap.5.xml:330 sssd-ldap-attributes.5.xml:40 #: sssd-ldap-attributes.5.xml:661 sssd-ldap-attributes.5.xml:803 #: sssd-ldap-attributes.5.xml:892 sssd-ldap-attributes.5.xml:989 #: sssd-ldap-attributes.5.xml:1047 sssd-ldap-attributes.5.xml:1205 #: sssd-ldap-attributes.5.xml:1250 include/autofs_attributes.xml:1 #: include/krb5_options.xml:1 msgid "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd.conf.5.xml:182 msgid "Options usable in SERVICE and DOMAIN sections" msgstr "Volby použitelné v sekcích SERVICE a DOMAIN" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:186 msgid "timeout (integer)" msgstr "timeout (celé kladné číslo)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:189 msgid "" "Timeout in seconds between heartbeats for this service. This is used to " "ensure that the process is alive and capable of answering requests. Note " "that after three missed heartbeats the process will terminate itself." msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:196 sssd.conf.5.xml:1290 sssd.conf.5.xml:1767 #: sssd.conf.5.xml:4260 sssd-ldap.5.xml:766 include/ldap_id_mapping.xml:270 msgid "Default: 10" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd.conf.5.xml:206 msgid "SPECIAL SECTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd.conf.5.xml:209 msgid "The [sssd] section" msgstr "Sekce [sssd]" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><title> #: sssd.conf.5.xml:218 msgid "Section parameters" msgstr "Parametry sekce" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:220 msgid "config_file_version (integer)" msgstr "config_file_version (celé kladné číslo)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:223 msgid "" "Indicates what is the syntax of the config file. SSSD 0.6.0 and later use " "version 2." msgstr "" "Značí jaká je syntaxe souboru s nastaveními. SSSD 0.6.0 a novější používají " "verzi 2." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:229 msgid "services" msgstr "služby" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:232 msgid "" "Comma separated list of services that are started when sssd itself starts. " "<phrase condition=\"have_systemd\"> The services' list is optional on " "platforms where systemd is supported, as they will either be socket or D-Bus " "activated when needed. </phrase>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:241 msgid "" "Supported services: nss, pam <phrase condition=\"with_sudo\">, sudo</phrase> " "<phrase condition=\"with_autofs\">, autofs</phrase> <phrase " "condition=\"with_ssh\">, ssh</phrase> <phrase " "condition=\"with_pac_responder\">, pac</phrase> <phrase " "condition=\"with_ifp\">, ifp</phrase>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:249 msgid "" "<phrase condition=\"have_systemd\"> By default, all services are disabled " "and the administrator must enable the ones allowed to be used by executing: " "\"systemctl enable sssd-@service@.socket\". </phrase>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:258 sssd.conf.5.xml:784 msgid "reconnection_retries (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:261 sssd.conf.5.xml:787 msgid "" "Number of times services should attempt to reconnect in the event of a Data " "Provider crash or restart before they give up" msgstr "" #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:266 sssd.conf.5.xml:792 sssd.conf.5.xml:3716 #: include/failover.xml:100 msgid "Default: 3" msgstr "Výchozí: 3" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:271 msgid "domains" msgstr "domény" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:274 msgid "" "A domain is a database containing user information. SSSD can use more " "domains at the same time, but at least one must be configured or SSSD won't " "start. This parameter describes the list of domains in the order you want " "them to be queried. A domain name is recommended to contain only " "alphanumeric ASCII characters, dashes, dots and underscores. '/' character " "is forbidden." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:287 sssd.conf.5.xml:3548 msgid "re_expression (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:290 msgid "" "Default regular expression that describes how to parse the string containing " "user name and domain into these components." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:295 msgid "" "Each domain can have an individual regular expression configured. For some " "ID providers there are also default regular expressions. See DOMAIN SECTIONS " "for more info on these regular expressions." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:304 sssd.conf.5.xml:3605 msgid "full_name_format (string)" msgstr "full_name_format (řetězec)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:307 sssd.conf.5.xml:3608 msgid "" "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</" "manvolnum> </citerefentry>-compatible format that describes how to compose a " "fully qualified name from user name and domain name components." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:318 sssd.conf.5.xml:3619 msgid "%1$s" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:319 sssd.conf.5.xml:3620 msgid "user name" msgstr "uživatelské jméno" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:322 sssd.conf.5.xml:3623 msgid "%2$s" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:325 sssd.conf.5.xml:3626 msgid "domain name as specified in the SSSD config file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:331 sssd.conf.5.xml:3632 msgid "%3$s" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:334 sssd.conf.5.xml:3635 msgid "" "domain flat name. Mostly usable for Active Directory domains, both directly " "configured or discovered via IPA trusts." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:315 sssd.conf.5.xml:3616 msgid "" "The following expansions are supported: <placeholder type=\"variablelist\" " "id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:344 msgid "" "Each domain can have an individual format string configured. See DOMAIN " "SECTIONS for more info on this option." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:350 msgid "monitor_resolv_conf (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:353 msgid "" "Controls if SSSD should monitor the state of resolv.conf to identify when it " "needs to update its internal DNS resolver." msgstr "" "Ovládá zda SSSD má sledovat stav resolv.conf a zjišťovat tak, zda je " "zapotřebí aktualizovat svůj vestavěný překlad DNS názvů." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:363 msgid "try_inotify (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:366 msgid "" "By default, SSSD will attempt to use inotify to monitor configuration files " "changes and will fall back to polling every five seconds if inotify cannot " "be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:372 msgid "" "There are some limited situations where it is preferred that we should skip " "even trying to use inotify. In these rare cases, this option should be set " "to 'false'" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:378 msgid "" "Default: true on platforms where inotify is supported. False on other " "platforms." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:382 msgid "" "Note: this option will have no effect on platforms where inotify is " "unavailable. On these platforms, polling will always be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:389 msgid "krb5_rcache_dir (string)" msgstr "krb5_rcache_dir (řetězec)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:392 msgid "" "Directory on the filesystem where SSSD should store Kerberos replay cache " "files." msgstr "" "Složka na souborovém systému kde by SSSD mělo ukládat soubory pro kerberos " "replay." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:396 msgid "" "This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct " "SSSD to let libkrb5 decide the appropriate location for the replay cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:402 msgid "" "Default: Distribution-specific and specified at build-time. " "(__LIBKRB5_DEFAULTS__ if not configured)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:409 msgid "user (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:412 msgid "" "The user to drop the privileges to where appropriate to avoid running as the " "root user. Currently the only supported value is '&sssd_user_name;'." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:419 msgid "" "This option does not work when running socket-activated services, as the " "user set up to run the processes is set up during compilation time. The way " "to override the systemd unit files is by creating the appropriate files in /" "etc/systemd/system/. Keep in mind that any change in the socket user, group " "or permissions may result in a non-usable SSSD. The same may occur in case " "of changes of the user running the NSS responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:433 msgid "Default: not set, process will run as root" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:438 msgid "default_domain_suffix (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:441 msgid "" "This string will be used as a default domain name for all names without a " "domain name component. The main use case is environments where the primary " "domain is intended for managing host policies and all users are located in a " "trusted domain. The option allows those users to log in just with their " "user name without giving a domain name as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:451 msgid "" "Please note that if this option is set all users from the primary domain " "have to use their fully qualified name, e.g. user@domain.name, to log in. " "Setting this option changes default of use_fully_qualified_names to True. It " "is not allowed to use this option together with use_fully_qualified_names " "set to False. <phrase condition=\"with_files_provider\"> One exception from " "this rule are domains with <quote>id_provider=files</quote> that always try " "to match the behaviour of nss_files and therefore their output is not " "qualified even when the default_domain_suffix option is used. </phrase>" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:468 sssd-ldap.5.xml:877 sssd-ldap.5.xml:889 #: sssd-ldap.5.xml:982 sssd-ad.5.xml:920 sssd-ad.5.xml:995 sssd-krb5.5.xml:468 #: sssd-ldap-attributes.5.xml:470 sssd-ldap-attributes.5.xml:978 #: include/ldap_id_mapping.xml:211 include/ldap_id_mapping.xml:222 #: include/krb5_options.xml:148 msgid "Default: not set" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:473 msgid "override_space (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:476 msgid "" "This parameter will replace spaces (space bar) with the given character for " "user and group names. e.g. (_). User name "john doe" will be " ""john_doe" This feature was added to help compatibility with shell " "scripts that have difficulty handling spaces, due to the default field " "separator in the shell." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:485 msgid "" "Please note it is a configuration error to use a replacement character that " "might be used in user or group names. If a name contains the replacement " "character SSSD tries to return the unmodified name but in general the result " "of a lookup is undefined." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:493 msgid "Default: not set (spaces will not be replaced)" msgstr "Výchozí: nenastaveno (mezery nebudou nahrazovány)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:498 msgid "certificate_verification (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:506 msgid "no_ocsp" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:508 msgid "" "Disables Online Certificate Status Protocol (OCSP) checks. This might be " "needed if the OCSP servers defined in the certificate are not reachable from " "the client." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:516 msgid "soft_ocsp" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:518 msgid "" "If a connection cannot be established to an OCSP responder the OCSP check is " "skipped. This option should be used to allow authentication when the system " "is offline and the OCSP responder cannot be reached." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:528 msgid "ocsp_dgst" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:530 msgid "" "Digest (hash) function used to create the certificate ID for the OCSP " "request. Allowed values are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:534 msgid "sha1" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:535 msgid "sha256" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:536 msgid "sha384" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:537 msgid "sha512" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:540 msgid "Default: sha1 (to allow compatibility with RFC5019-compliant responder)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:546 msgid "no_verification" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:548 msgid "" "Disables verification completely. This option should only be used for " "testing." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:554 msgid "partial_chain" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:556 msgid "" "Allow verification to succeed even if a <replaceable>complete</replaceable> " "chain cannot be built to a self-signed trust-anchor, provided it is possible " "to construct a chain to a trusted certificate that might not be self-signed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:565 msgid "ocsp_default_responder=URL" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:567 msgid "" "Sets the OCSP default responder which should be used instead of the one " "mentioned in the certificate. URL must be replaced with the URL of the OCSP " "default responder e.g. http://example.com:80/ocsp." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:577 msgid "ocsp_default_responder_signing_cert=NAME" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:579 msgid "" "This option is currently ignored. All needed certificates must be available " "in the PEM file given by pam_cert_db_path." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:587 msgid "crl_file=/PATH/TO/CRL/FILE" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:589 msgid "" "Use the Certificate Revocation List (CRL) from the given file during the " "verification of the certificate. The CRL must be given in PEM format, see " "<citerefentry> <refentrytitle>crl</refentrytitle> <manvolnum>1ssl</" "manvolnum> </citerefentry> for details." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:602 msgid "soft_crl" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:605 msgid "" "If a Certificate Revocation List (CRL) is expired ignore the CRL checks for " "the related certificates. This option should be used to allow authentication " "when the system is offline and the CRL cannot be renewed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:501 msgid "" "With this parameter the certificate verification can be tuned with a comma " "separated list of options. Supported options are: <placeholder " "type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:616 msgid "Unknown options are reported but ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:619 msgid "Default: not set, i.e. do not restrict certificate verification" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:625 msgid "disable_netlink (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:628 msgid "" "SSSD hooks into the netlink interface to monitor changes to routes, " "addresses, links and trigger certain actions." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:633 msgid "" "The SSSD state changes caused by netlink events may be undesirable and can " "be disabled by setting this option to 'true'" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:638 msgid "Default: false (netlink changes are detected)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:643 msgid "enable_files_domain (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:646 msgid "" "When this option is enabled, SSSD prepends an implicit domain with " "<quote>id_provider=files</quote> before any explicitly configured domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:657 msgid "domain_resolution_order" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:660 msgid "" "Comma separated list of domains and subdomains representing the lookup order " "that will be followed. The list doesn't have to include all possible " "domains as the missing domains will be looked up based on the order they're " "presented in the <quote>domains</quote> configuration option. The " "subdomains which are not listed as part of <quote>lookup_order</quote> will " "be looked up in a random order for each parent domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:672 msgid "" "Please, note that when this option is set the output format of all commands " "is always fully-qualified even when using short names for input <phrase " "condition=\"with_files_provider\"> , for all users but the ones managed by " "the files provider </phrase>. In case the administrator wants the output " "not fully-qualified, the full_name_format option can be used as shown below: " "<quote>full_name_format=%1$s</quote> However, keep in mind that during " "login, login applications often canonicalize the username by calling " "<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" "manvolnum> </citerefentry> which, if a shortname is returned for a qualified " "input (while trying to reach a user which exists in multiple domains) might " "re-route the login attempt into the domain which uses shortnames, making " "this workaround totally not recommended in cases where usernames may overlap " "between domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:700 sssd.conf.5.xml:1791 sssd.conf.5.xml:4310 #: sssd-ad.5.xml:187 sssd-ad.5.xml:327 sssd-ad.5.xml:341 msgid "Default: Not set" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:705 msgid "implicit_pac_responder (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:708 msgid "" "The PAC responder is enabled automatically for the IPA and AD provider to " "evaluate and check the PAC. If it has to be disabled set this option to " "'false'." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:719 msgid "core_dumpable (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:722 msgid "" "This option can be used for general system hardening: setting it to 'false' " "forbids core dumps for all SSSD processes to avoid leaking plain text " "passwords. See man page prctl:PR_SET_DUMPABLE for details." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:734 msgid "passkey_verification (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:742 msgid "user_verification (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:744 msgid "" "Enable or disable the user verification (i.e. PIN, fingerprint) during " "authentication. If enabled, the PIN will always be requested." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:750 msgid "" "The default is that the key settings decide what to do. In the IPA or " "kerberos pre-authentication case, this value will be overwritten by the " "server." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:737 msgid "" "With this parameter the passkey verification can be tuned with a comma " "separated list of options. Supported options are: <placeholder " "type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd.conf.5.xml:211 msgid "" "Individual pieces of SSSD functionality are provided by special SSSD " "services that are started and stopped together with SSSD. The services are " "managed by a special service frequently called <quote>monitor</quote>. The " "<quote>[sssd]</quote> section is used to configure the monitor as well as " "some other important options like the identity domains. <placeholder " "type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd.conf.5.xml:769 msgid "SERVICES SECTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:771 msgid "" "Settings that can be used to configure different services are described in " "this section. They should reside in the [<replaceable>$NAME</replaceable>] " "section, for example, for NSS service, the section would be <quote>[nss]</" "quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd.conf.5.xml:778 msgid "General service configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd.conf.5.xml:780 msgid "These options can be used to configure any service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:797 msgid "fd_limit" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:800 msgid "" "This option specifies the maximum number of file descriptors that may be " "opened at one time by this SSSD process. On systems where SSSD is granted " "the CAP_SYS_RESOURCE capability, this will be an absolute setting. On " "systems without this capability, the resulting value will be the lower value " "of this or the limits.conf \"hard\" limit." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:809 msgid "Default: 8192 (or limits.conf \"hard\" limit)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:814 msgid "client_idle_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:817 msgid "" "This option specifies the number of seconds that a client of an SSSD process " "can hold onto a file descriptor without communicating on it. This value is " "limited in order to avoid resource exhaustion on the system. The timeout " "can't be shorter than 10 seconds. If a lower value is configured, it will be " "adjusted to 10 seconds." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:826 #, fuzzy #| msgid "Default: 200000" msgid "Default: 60, KCM: 300" msgstr "Výchozí: 200000" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:831 msgid "offline_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:834 msgid "" "When SSSD switches to offline mode the amount of time before it tries to go " "back online will increase based upon the time spent disconnected. By " "default SSSD uses incremental behaviour to calculate delay in between " "retries. So, the wait time for a given retry will be longer than the wait " "time for the previous ones. After each unsuccessful attempt to go online, " "the new interval is recalculated by the following:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:845 sssd.conf.5.xml:901 msgid "" "new_delay = Minimum(old_delay * 2, offline_timeout_max) + random[0..." "offline_timeout_random_offset]" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:848 msgid "" "The offline_timeout default value is 60. The offline_timeout_max default " "value is 3600. The offline_timeout_random_offset default value is 30. The " "end result is amount of seconds before next retry." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:854 msgid "" "Note that the maximum length of each interval is defined by " "offline_timeout_max (apart of random part)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:858 sssd.conf.5.xml:1201 sssd.conf.5.xml:1584 #: sssd.conf.5.xml:1880 sssd-ldap.5.xml:495 msgid "Default: 60" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:863 #, fuzzy #| msgid "ldap_idmap_range_max (integer)" msgid "offline_timeout_max (integer)" msgstr "ldap_idmap_range_max (celé číslo)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:866 msgid "" "Controls by how much the time between attempts to go online can be " "incremented following unsuccessful attempts to go online." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:871 msgid "A value of 0 disables the incrementing behaviour." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:874 msgid "" "The value of this parameter should be set in correlation to offline_timeout " "parameter value." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:878 msgid "" "With offline_timeout set to 60 (default value) there is no point in setting " "offlinet_timeout_max to less than 120 as it will saturate instantly. General " "rule here should be to set offline_timeout_max to at least 4 times " "offline_timeout." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:884 msgid "" "Although a value between 0 and offline_timeout may be specified, it has the " "effect of overriding the offline_timeout value so is of little use." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:889 #, fuzzy #| msgid "Default: 200000" msgid "Default: 3600" msgstr "Výchozí: 200000" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:894 #, fuzzy #| msgid "ldap_idmap_range_size (integer)" msgid "offline_timeout_random_offset (integer)" msgstr "ldap_idmap_range_size (celé číslo)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:897 msgid "" "When SSSD is in offline mode it keeps probing backend servers in specified " "time intervals:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:904 msgid "" "This parameter controls the value of the random offset used for the above " "equation. Final random_offset value will be random number in range:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:909 msgid "[0 - offline_timeout_random_offset]" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:912 msgid "A value of 0 disables the random offset addition." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:915 #, fuzzy #| msgid "Default: 200000" msgid "Default: 30" msgstr "Výchozí: 200000" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:920 msgid "responder_idle_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:923 msgid "" "This option specifies the number of seconds that an SSSD responder process " "can be up without being used. This value is limited in order to avoid " "resource exhaustion on the system. The minimum acceptable value for this " "option is 60 seconds. Setting this option to 0 (zero) means that no timeout " "will be set up to the responder. This option only has effect when SSSD is " "built with systemd support and when services are either socket or D-Bus " "activated." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:937 sssd.conf.5.xml:1214 sssd.conf.5.xml:2322 #: sssd-ldap.5.xml:332 msgid "Default: 300" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:942 msgid "cache_first" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:945 msgid "" "This option specifies whether the responder should query all caches before " "querying the Data Providers." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd.conf.5.xml:960 msgid "NSS configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd.conf.5.xml:962 msgid "" "These options can be used to configure the Name Service Switch (NSS) service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:967 msgid "enum_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:970 msgid "" "How many seconds should nss_sss cache enumerations (requests for info about " "all users)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:974 msgid "Default: 120" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:979 msgid "entry_cache_nowait_percentage (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:982 msgid "" "The entry cache can be set to automatically update entries in the background " "if they are requested beyond a percentage of the entry_cache_timeout value " "for the domain." msgstr "" "Mezipaměť položek může být nastavena na automatické aktualizování položek na " "pozadí, pokud jsou požadovány za procentem hodnoty entry_cache_timeout pro " "doménu." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:988 msgid "" "For example, if the domain's entry_cache_timeout is set to 30s and " "entry_cache_nowait_percentage is set to 50 (percent), entries that come in " "after 15 seconds past the last cache update will be returned immediately, " "but the SSSD will go and update the cache on its own, so that future " "requests will not need to block waiting for a cache update." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:998 msgid "" "Valid values for this option are 0-99 and represent a percentage of the " "entry_cache_timeout for each domain. For performance reasons, this " "percentage will never reduce the nowait timeout to less than 10 seconds. (0 " "disables this feature)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1006 sssd.conf.5.xml:2122 msgid "Default: 50" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1011 msgid "entry_negative_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1014 msgid "" "Specifies for how many seconds nss_sss should cache negative cache hits " "(that is, queries for invalid database entries, like nonexistent ones) " "before asking the back end again." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1020 sssd.conf.5.xml:1779 sssd.conf.5.xml:2146 msgid "Default: 15" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1025 msgid "local_negative_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1028 msgid "" "Specifies for how many seconds nss_sss should keep local users and groups in " "negative cache before trying to look it up in the back end again. Setting " "the option to 0 disables this feature." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1034 msgid "Default: 14400 (4 hours)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1039 msgid "filter_users, filter_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1042 msgid "" "Exclude certain users or groups from being fetched from the sss NSS " "database. This is particularly useful for system accounts. This option can " "also be set per-domain or include fully-qualified names to filter only users " "from the particular domain or by a user principal name (UPN)." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1050 msgid "" "NOTE: The filter_groups option doesn't affect inheritance of nested group " "members, since filtering happens after they are propagated for returning via " "NSS. E.g. a group having a member group filtered out will still have the " "member users of the latter listed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1058 msgid "Default: root" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1063 msgid "filter_users_in_groups (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1066 msgid "" "If you want filtered user still be group members set this option to false." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1077 msgid "fallback_homedir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1080 msgid "" "Set a default template for a user's home directory if one is not specified " "explicitly by the domain's data provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1085 msgid "" "The available values for this option are the same as for override_homedir." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> #: sssd.conf.5.xml:1091 #, no-wrap msgid "" "fallback_homedir = /home/%u\n" " " msgstr "" #. type: Content of: <varlistentry><listitem><para> #: sssd.conf.5.xml:1089 sssd.conf.5.xml:1651 sssd.conf.5.xml:1670 #: sssd.conf.5.xml:1747 sssd-krb5.5.xml:451 include/override_homedir.xml:66 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1095 msgid "Default: not set (no substitution for unset home directories)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1101 msgid "override_shell (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1104 msgid "" "Override the login shell for all users. This option supersedes any other " "shell options if it takes effect and can be set either in the [nss] section " "or per-domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1110 msgid "Default: not set (SSSD will use the value retrieved from LDAP)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1116 msgid "allowed_shells (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1119 msgid "" "Restrict user shell to one of the listed values. The order of evaluation is:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1122 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1126 msgid "" "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</" "quote>, use the value of the shell_fallback parameter." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1131 msgid "" "3. If the shell is not in the allowed_shells list and not in <quote>/etc/" "shells</quote>, a nologin shell is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1136 msgid "The wildcard (*) can be used to allow any shell." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1139 msgid "" "The (*) is useful if you want to use shell_fallback in case that user's " "shell is not in <quote>/etc/shells</quote> and maintaining list of all " "allowed shells in allowed_shells would be to much overhead." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1146 msgid "An empty string for shell is passed as-is to libc." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1149 msgid "" "The <quote>/etc/shells</quote> is only read on SSSD start up, which means " "that a restart of the SSSD is required in case a new shell is installed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1153 msgid "Default: Not set. The user shell is automatically used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1158 msgid "vetoed_shells (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1161 msgid "Replace any instance of these shells with the shell_fallback" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1166 msgid "shell_fallback (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1169 msgid "" "The default shell to use if an allowed shell is not installed on the machine." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1173 msgid "Default: /bin/sh" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1178 msgid "default_shell" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1181 msgid "" "The default shell to use if the provider does not return one during lookup. " "This option can be specified globally in the [nss] section or per-domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1187 msgid "" "Default: not set (Return NULL if no shell is specified and rely on libc to " "substitute something sensible when necessary, usually /bin/sh)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1194 sssd.conf.5.xml:1577 msgid "get_domains_timeout (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1197 sssd.conf.5.xml:1580 msgid "" "Specifies time in seconds for which the list of subdomains will be " "considered valid." msgstr "" "Určuje dobu (v sekundách) po které bude seznam dílčích domén považován za " "platný." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1206 msgid "memcache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1209 msgid "" "Specifies time in seconds for which records in the in-memory cache will be " "valid. Setting this option to zero will disable the in-memory cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1217 msgid "" "WARNING: Disabling the in-memory cache will have significant negative impact " "on SSSD's performance and should only be used for testing." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1223 sssd.conf.5.xml:1248 sssd.conf.5.xml:1273 #: sssd.conf.5.xml:1298 sssd.conf.5.xml:1325 msgid "" "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", " "client applications will not use the fast in-memory cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1231 msgid "memcache_size_passwd (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1234 msgid "" "Size (in megabytes) of the data table allocated inside fast in-memory cache " "for passwd requests. Setting the size to 0 will disable the passwd in-" "memory cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1240 sssd.conf.5.xml:2971 sssd-ldap.5.xml:549 msgid "Default: 8" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1243 sssd.conf.5.xml:1268 sssd.conf.5.xml:1293 #: sssd.conf.5.xml:1320 msgid "" "WARNING: Disabled or too small in-memory cache can have significant negative " "impact on SSSD's performance." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1256 #, fuzzy #| msgid "ldap_idmap_range_size (integer)" msgid "memcache_size_group (integer)" msgstr "ldap_idmap_range_size (celé číslo)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1259 msgid "" "Size (in megabytes) of the data table allocated inside fast in-memory cache " "for group requests. Setting the size to 0 will disable the group in-memory " "cache." msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1265 sssd.conf.5.xml:1317 sssd.conf.5.xml:3737 #: sssd-ldap.5.xml:474 sssd-ldap.5.xml:526 include/failover.xml:116 #: include/krb5_options.xml:11 msgid "Default: 6" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1281 msgid "memcache_size_initgroups (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1284 msgid "" "Size (in megabytes) of the data table allocated inside fast in-memory cache " "for initgroups requests. Setting the size to 0 will disable the initgroups " "in-memory cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1306 #, fuzzy #| msgid "ldap_idmap_range_size (integer)" msgid "memcache_size_sid (integer)" msgstr "ldap_idmap_range_size (celé číslo)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1309 msgid "" "Size (in megabytes) of the data table allocated inside fast in-memory cache " "for SID related requests. Only SID-by-ID and ID-by-SID requests are " "currently cached in fast in-memory cache. Setting the size to 0 will " "disable the SID in-memory cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.conf.5.xml:1333 sssd-ifp.5.xml:90 msgid "user_attributes (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1336 msgid "" "Some of the additional NSS responder requests can return more attributes " "than just the POSIX ones defined by the NSS interface. The list of " "attributes is controlled by this option. It is handled the same way as the " "<quote>user_attributes</quote> option of the InfoPipe responder (see " "<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry> for details) but with no default values." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1349 msgid "" "To make configuration more easy the NSS responder will check the InfoPipe " "option if it is not set for the NSS responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1354 msgid "Default: not set, fallback to InfoPipe option" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1359 msgid "pwfield (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1362 msgid "" "The value that NSS operations that return users or groups will return for " "the <quote>password</quote> field." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1367 msgid "Default: <quote>*</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1370 msgid "" "Note: This option can also be set per-domain which overwrites the value in " "[nss] section." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1374 msgid "" "Default: <quote>not set</quote> (remote domains), <phrase " "condition=\"with_files_provider\"> <quote>x</quote> (the files domain), </" "phrase> <quote>x</quote> (proxy domain with nss_files and sssd-shadowutils " "target)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd.conf.5.xml:1386 msgid "PAM configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd.conf.5.xml:1388 msgid "" "These options can be used to configure the Pluggable Authentication Module " "(PAM) service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1393 msgid "offline_credentials_expiration (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1396 msgid "" "If the authentication provider is offline, how long should we allow cached " "logins (in days since the last successful online login)." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1401 sssd.conf.5.xml:1414 msgid "Default: 0 (No limit)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1407 msgid "offline_failed_login_attempts (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1410 msgid "" "If the authentication provider is offline, how many failed login attempts " "are allowed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1420 msgid "offline_failed_login_delay (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1423 msgid "" "The time in minutes which has to pass after offline_failed_login_attempts " "has been reached before a new login attempt is possible." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1428 msgid "" "If set to 0 the user cannot authenticate offline if " "offline_failed_login_attempts has been reached. Only a successful online " "authentication can enable offline authentication again." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1434 sssd.conf.5.xml:1544 msgid "Default: 5" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1440 msgid "pam_verbosity (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1443 msgid "" "Controls what kind of messages are shown to the user during authentication. " "The higher the number to more messages are displayed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1448 msgid "Currently sssd supports the following values:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1451 msgid "<emphasis>0</emphasis>: do not show any message" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1454 msgid "<emphasis>1</emphasis>: show only important messages" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1458 msgid "<emphasis>2</emphasis>: show informational messages" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1461 msgid "<emphasis>3</emphasis>: show all messages and debug information" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1465 sssd.8.xml:63 msgid "Default: 1" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1471 msgid "pam_response_filter (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1474 msgid "" "A comma separated list of strings which allows to remove (filter) data sent " "by the PAM responder to pam_sss PAM module. There are different kind of " "responses sent to pam_sss e.g. messages displayed to the user or environment " "variables which should be set by pam_sss." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1482 msgid "" "While messages already can be controlled with the help of the pam_verbosity " "option this option allows to filter out other kind of responses as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:1489 msgid "ENV" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1490 msgid "Do not send any environment variables to any service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:1493 msgid "ENV:var_name" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1494 msgid "Do not send environment variable var_name to any service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:1498 msgid "ENV:var_name:service" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1499 msgid "Do not send environment variable var_name to service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1487 msgid "" "Currently the following filters are supported: <placeholder " "type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1506 msgid "" "The list of strings can either be the list of filters which would set this " "list of filters and overwrite the defaults. Or each element of the list can " "be prefixed by a '+' or '-' character which would add the filter to the " "existing default or remove it from the defaults, respectively. Please note " "that either all list elements must have a '+' or '-' prefix or none. It is " "considered as an error to mix both styles." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1517 msgid "Default: ENV:KRB5CCNAME:sudo, ENV:KRB5CCNAME:sudo-i" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1520 msgid "" "Example: -ENV:KRB5CCNAME:sudo-i will remove the filter from the default list" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1527 msgid "pam_id_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1530 msgid "" "For any PAM request while SSSD is online, the SSSD will attempt to " "immediately update the cached identity information for the user in order to " "ensure that authentication takes place with the latest information." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1536 msgid "" "A complete PAM conversation may perform multiple PAM requests, such as " "account management and session opening. This option controls (on a per-" "client-application basis) how long (in seconds) we can cache the identity " "information to avoid excessive round-trips to the identity provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1550 msgid "pam_pwd_expiration_warning (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1553 sssd.conf.5.xml:2995 msgid "Display a warning N days before the password expires." msgstr "Zobrazit varování N dnů před skončením platnosti hesla." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1556 msgid "" "Please note that the backend server has to provide information about the " "expiration time of the password. If this information is missing, sssd " "cannot display a warning." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1562 sssd.conf.5.xml:2998 msgid "" "If zero is set, then this filter is not applied, i.e. if the expiration " "warning was received from backend server, it will automatically be displayed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1567 msgid "" "This setting can be overridden by setting <emphasis>pwd_expiration_warning</" "emphasis> for a particular domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1572 sssd.conf.5.xml:4003 sssd-ldap.5.xml:607 sssd.8.xml:79 msgid "Default: 0" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1589 msgid "pam_trusted_users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1592 msgid "" "Specifies the comma-separated list of UID values or user names that are " "allowed to run PAM conversations against trusted domains. Users not " "included in this list can only access domains marked as public with " "<quote>pam_public_domains</quote>. User names are resolved to UIDs at " "startup." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1602 msgid "Default: All users are considered trusted by default" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1606 msgid "" "Please note that UID 0 is always allowed to access the PAM responder even in " "case it is not in the pam_trusted_users list." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1613 msgid "pam_public_domains (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1616 msgid "" "Specifies the comma-separated list of domain names that are accessible even " "to untrusted users." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1620 msgid "Two special values for pam_public_domains option are defined:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1624 msgid "" "all (Untrusted users are allowed to access all domains in PAM responder.)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1628 msgid "" "none (Untrusted users are not allowed to access any domains PAM in " "responder.)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1632 sssd.conf.5.xml:1657 sssd.conf.5.xml:1676 #: sssd.conf.5.xml:1913 sssd.conf.5.xml:2733 sssd.conf.5.xml:3932 #: sssd-ldap.5.xml:1209 msgid "Default: none" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1637 msgid "pam_account_expired_message (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1640 msgid "" "Allows a custom expiration message to be set, replacing the default " "'Permission denied' message." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1645 msgid "" "Note: Please be aware that message is only printed for the SSH service " "unless pam_verbosity is set to 3 (show all messages and debug information)." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> #: sssd.conf.5.xml:1653 #, no-wrap msgid "" "pam_account_expired_message = Account expired, please contact help desk.\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1662 msgid "pam_account_locked_message (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1665 msgid "" "Allows a custom lockout message to be set, replacing the default 'Permission " "denied' message." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> #: sssd.conf.5.xml:1672 #, no-wrap msgid "" "pam_account_locked_message = Account locked, please contact help desk.\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1681 msgid "pam_passkey_auth (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1684 msgid "Enable passkey device based authentication." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1687 sssd.conf.5.xml:1999 sssd-ad.5.xml:1271 #: sss_rpcidmapd.5.xml:76 sssd-files.5.xml:145 msgid "Default: True" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1692 msgid "passkey_debug_libfido2 (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1695 msgid "Enable libfido2 library debug messages." msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1698 sssd.conf.5.xml:1712 sssd-ldap.5.xml:672 #: sssd-ldap.5.xml:693 sssd-ldap.5.xml:789 sssd-ldap.5.xml:1295 #: sssd-ad.5.xml:505 sssd-ad.5.xml:581 sssd-ad.5.xml:1126 sssd-ad.5.xml:1175 #: include/ldap_id_mapping.xml:250 msgid "Default: False" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1703 msgid "pam_cert_auth (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1706 msgid "" "Enable certificate based Smartcard authentication. Since this requires " "additional communication with the Smartcard which will delay the " "authentication process this option is disabled by default." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1717 msgid "pam_cert_db_path (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1720 msgid "The path to the certificate database." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1723 sssd.conf.5.xml:2248 sssd.conf.5.xml:4424 msgid "Default:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:1725 sssd.conf.5.xml:2250 msgid "" "/etc/sssd/pki/sssd_auth_ca_db.pem (path to a file with trusted CA " "certificates in PEM format)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1735 msgid "pam_cert_verification (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1738 msgid "" "With this parameter the PAM certificate verification can be tuned with a " "comma separated list of options that override the " "<quote>certificate_verification</quote> value in <quote>[sssd]</quote> " "section. Supported options are the same of <quote>certificate_verification</" "quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> #: sssd.conf.5.xml:1749 #, no-wrap msgid "" "pam_cert_verification = partial_chain\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1753 msgid "" "Default: not set, i.e. use default <quote>certificate_verification</quote> " "option defined in <quote>[sssd]</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1760 msgid "p11_child_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1763 msgid "How many seconds will pam_sss wait for p11_child to finish." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1772 #, fuzzy #| msgid "timeout (integer)" msgid "passkey_child_timeout (integer)" msgstr "timeout (celé kladné číslo)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1775 msgid "" "How many seconds will the PAM responder wait for passkey_child to finish." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1784 msgid "pam_app_services (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1787 msgid "" "Which PAM services are permitted to contact domains of type " "<quote>application</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1796 #, fuzzy #| msgid "simple_allow_users (string)" msgid "pam_p11_allowed_services (string)" msgstr "simple_allow_users (řetězec)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1799 msgid "" "A comma-separated list of PAM service names for which it will be allowed to " "use Smartcards." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> #: sssd.conf.5.xml:1814 #, no-wrap msgid "" "pam_p11_allowed_services = +my_pam_service, -login\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1803 msgid "" "It is possible to add another PAM service name to the default set by using " "<quote>+service_name</quote> or to explicitly remove a PAM service name from " "the default set by using <quote>-service_name</quote>. For example, in order " "to replace a default PAM service name for authentication with Smartcards (e." "g. <quote>login</quote>) with a custom PAM service name (e.g. " "<quote>my_pam_service</quote>), you would use the following configuration: " "<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1818 sssd-ad.5.xml:644 sssd-ad.5.xml:753 sssd-ad.5.xml:811 #: sssd-ad.5.xml:869 sssd-ad.5.xml:947 msgid "Default: the default set of PAM service names includes:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:1823 sssd-ad.5.xml:648 msgid "login" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:1828 sssd-ad.5.xml:653 msgid "su" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:1833 sssd-ad.5.xml:658 msgid "su-l" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:1838 sssd-ad.5.xml:673 msgid "gdm-smartcard" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:1843 sssd-ad.5.xml:668 msgid "gdm-password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:1848 sssd-ad.5.xml:678 msgid "kdm" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:1853 sssd-ad.5.xml:956 msgid "sudo" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:1858 sssd-ad.5.xml:961 msgid "sudo-i" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:1863 msgid "gnome-screensaver" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1871 msgid "p11_wait_for_card_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1874 msgid "" "If Smartcard authentication is required how many extra seconds in addition " "to p11_child_timeout should the PAM responder wait until a Smartcard is " "inserted." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1885 msgid "p11_uri (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1888 msgid "" "PKCS#11 URI (see RFC-7512 for details) which can be used to restrict the " "selection of devices used for Smartcard authentication. By default SSSD's " "p11_child will search for a PKCS#11 slot (reader) where the 'removable' " "flags is set and read the certificates from the inserted token from the " "first slot found. If multiple readers are connected p11_uri can be used to " "tell p11_child to use a specific reader." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> #: sssd.conf.5.xml:1901 #, no-wrap msgid "" "p11_uri = pkcs11:slot-description=My%20Smartcard%20Reader\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> #: sssd.conf.5.xml:1905 #, no-wrap msgid "" "p11_uri = pkcs11:library-description=OpenSC%20smartcard%20framework;slot-id=2\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1899 msgid "" "Example: <placeholder type=\"programlisting\" id=\"0\"/> or <placeholder " "type=\"programlisting\" id=\"1\"/> To find suitable URI please check the " "debug output of p11_child. As an alternative the GnuTLS utility 'p11tool' " "with e.g. the '--list-all' will show PKCS#11 URIs as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1918 msgid "pam_initgroups_scheme" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:1926 msgid "always" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1927 msgid "" "Always do an online lookup, please note that pam_id_timeout still applies" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:1931 msgid "no_session" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1932 msgid "" "Only do an online lookup if there is no active session of the user, i.e. if " "the user is currently not logged in" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:1937 msgid "never" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1938 msgid "" "Never force an online lookup, use the data from the cache as long as they " "are not expired" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1921 msgid "" "The PAM responder can force an online lookup to get the current group " "memberships of the user trying to log in. This option controls when this " "should be done and the following values are allowed: <placeholder " "type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1945 msgid "Default: no_session" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:1950 sssd.conf.5.xml:4363 msgid "pam_gssapi_services" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1953 msgid "" "Comma separated list of PAM services that are allowed to try GSSAPI " "authentication using pam_sss_gss.so module." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1958 msgid "" "To disable GSSAPI authentication, set this option to <quote>-</quote> (dash)." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1962 sssd.conf.5.xml:1993 sssd.conf.5.xml:2031 msgid "" "Note: This option can also be set per-domain which overwrites the value in " "[pam] section. It can also be set for trusted domain which overwrites the " "value in the domain section." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> #: sssd.conf.5.xml:1970 #, no-wrap msgid "" "pam_gssapi_services = sudo, sudo-i\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1968 sssd.conf.5.xml:3926 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1974 msgid "Default: - (GSSAPI authentication is disabled)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:1979 sssd.conf.5.xml:4364 msgid "pam_gssapi_check_upn" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1982 msgid "" "If True, SSSD will require that the Kerberos user principal that " "successfully authenticated through GSSAPI can be associated with the user " "who is being authenticated. Authentication will fail if the check fails." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1989 msgid "" "If False, every user that is able to obtained required service ticket will " "be authenticated." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:2004 msgid "pam_gssapi_indicators_map" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2007 msgid "" "Comma separated list of authentication indicators required to be present in " "a Kerberos ticket to access a PAM service that is allowed to try GSSAPI " "authentication using pam_sss_gss.so module." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2013 msgid "" "Each element of the list can be either an authentication indicator name or a " "pair <quote>service:indicator</quote>. Indicators not prefixed with the PAM " "service name will be required to access any PAM service configured to be " "used with <option>pam_gssapi_services</option>. A resulting list of " "indicators per PAM service is then checked against indicators in the " "Kerberos ticket during authentication by pam_sss_gss.so. Any indicator from " "the ticket that matches the resulting list of indicators for the PAM service " "would grant access. If none of the indicators in the list match, access will " "be denied. If the resulting list of indicators for the PAM service is empty, " "the check will not prevent the access." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2026 msgid "" "To disable GSSAPI authentication indicator check, set this option to <quote>-" "</quote> (dash). To disable the check for a specific PAM service, add " "<quote>service:-</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2037 msgid "" "Following authentication indicators are supported by IPA Kerberos " "deployments:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:2040 msgid "" "pkinit -- pre-authentication using X.509 certificates -- whether stored in " "files or on smart cards." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:2043 msgid "" "hardened -- SPAKE pre-authentication or any pre-authentication wrapped in a " "FAST channel." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:2046 msgid "radius -- pre-authentication with the help of a RADIUS server." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:2049 msgid "" "otp -- pre-authentication using integrated two-factor authentication (2FA or " "one-time password, OTP) in IPA." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:2052 msgid "idp -- pre-authentication using external identity provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> #: sssd.conf.5.xml:2062 #, no-wrap msgid "" "pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2057 msgid "" "Example: to require access to SUDO services only for users which obtained " "their Kerberos tickets with a X.509 certificate pre-authentication (PKINIT), " "set <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2066 msgid "Default: not set (use of authentication indicators is not required)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd.conf.5.xml:2074 msgid "SUDO configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd.conf.5.xml:2076 msgid "" "These options can be used to configure the sudo service. The detailed " "instructions for configuration of <citerefentry> <refentrytitle>sudo</" "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> to work with " "<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " "</citerefentry> are in the manual page <citerefentry> <refentrytitle>sssd-" "sudo</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:2093 msgid "sudo_timed (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2096 msgid "" "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes " "that implement time-dependent sudoers entries." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:2108 msgid "sudo_threshold (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2111 msgid "" "Maximum number of expired rules that can be refreshed at once. If number of " "expired rules is below threshold, those rules are refreshed with " "<quote>rules refresh</quote> mechanism. If the threshold is exceeded a " "<quote>full refresh</quote> of sudo rules is triggered instead. This " "threshold number also applies to IPA sudo command and command group searches." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd.conf.5.xml:2130 msgid "AUTOFS configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd.conf.5.xml:2132 msgid "These options can be used to configure the autofs service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:2136 msgid "autofs_negative_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2139 msgid "" "Specifies for how many seconds should the autofs responder negative cache " "hits (that is, queries for invalid map entries, like nonexistent ones) " "before asking the back end again." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd.conf.5.xml:2155 msgid "SSH configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd.conf.5.xml:2157 msgid "These options can be used to configure the SSH service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:2161 msgid "ssh_hash_known_hosts (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2164 msgid "" "Whether or not to hash host names and addresses in the managed known_hosts " "file." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:2173 msgid "ssh_known_hosts_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2176 msgid "" "How many seconds to keep a host in the managed known_hosts file after its " "host keys were requested." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2180 msgid "Default: 180" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:2185 msgid "ssh_use_certificate_keys (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2188 msgid "" "If set to true the <command>sss_ssh_authorizedkeys</command> will return ssh " "keys derived from the public key of X.509 certificates stored in the user " "entry as well. See <citerefentry> <refentrytitle>sss_ssh_authorizedkeys</" "refentrytitle> <manvolnum>1</manvolnum> </citerefentry> for details." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:2203 msgid "ssh_use_certificate_matching_rules (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2206 msgid "" "By default the ssh responder will use all available certificate matching " "rules to filter the certificates so that ssh keys are only derived from the " "matching ones. With this option the used rules can be restricted with a " "comma separated list of mapping and matching rule names. All other rules " "will be ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2215 msgid "" "There are two special key words 'all_rules' and 'no_rules' which will enable " "all or no rules, respectively. The latter means that no certificates will be " "filtered out and ssh keys will be generated from all valid certificates." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2222 msgid "" "If no rules are configured using 'all_rules' will enable a default rule " "which enables all certificates suitable for client authentication. This is " "the same behavior as for the PAM responder if certificate authentication is " "enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2229 msgid "" "A non-existing rule name is considered an error. If as a result no rule is " "selected all certificates will be ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2234 msgid "" "Default: not set, equivalent to 'all_rules', all found rules or the default " "rule are used" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:2240 msgid "ca_db (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2243 msgid "" "Path to a storage of trusted CA certificates. The option is used to validate " "user certificates before deriving public ssh keys from them." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd.conf.5.xml:2263 msgid "PAC responder configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd.conf.5.xml:2265 msgid "" "The PAC responder works together with the authorization data plugin for MIT " "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the " "PAC data during a GSSAPI authentication to the PAC responder. The sub-domain " "provider collects domain SID and ID ranges of the domain the client is " "joined to and of remote trusted domains from the local domain controller. If " "the PAC is decoded and evaluated some of the following operations are done:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:2274 msgid "" "If the remote user does not exist in the cache, it is created. The UID is " "determined with the help of the SID, trusted domains will have UPGs and the " "GID will have the same value as the UID. The home directory is set based on " "the subdomain_homedir parameter. The shell will be empty by default, i.e. " "the system defaults are used, but can be overwritten with the default_shell " "parameter." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:2282 msgid "" "If there are SIDs of groups from domains sssd knows about, the user will be " "added to those groups." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd.conf.5.xml:2288 msgid "These options can be used to configure the PAC responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.conf.5.xml:2292 sssd-ifp.5.xml:66 msgid "allowed_uids (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2295 msgid "" "Specifies the comma-separated list of UID values or user names that are " "allowed to access the PAC responder. User names are resolved to UIDs at " "startup." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2301 msgid "Default: 0 (only the root user is allowed to access the PAC responder)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2305 msgid "" "Please note that although the UID 0 is used as the default it will be " "overwritten with this option. If you still want to allow the root user to " "access the PAC responder, which would be the typical case, you have to add 0 " "to the list of allowed UIDs as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:2314 msgid "pac_lifetime (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2317 msgid "" "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC " "data can be used to determine the group memberships of a user." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:2327 #, fuzzy #| msgid "krb5_rcache_dir (string)" msgid "pac_check (string)" msgstr "krb5_rcache_dir (řetězec)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2330 msgid "" "Apply additional checks on the PAC of the Kerberos ticket which is available " "in Active Directory and FreeIPA domains, if configured. Please note that " "Kerberos ticket validation must be enabled to be able to check the PAC, i.e. " "the krb5_validate option must be set to 'True' which is the default for the " "IPA and AD provider. If krb5_validate is set to 'False' the PAC checks will " "be skipped." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2344 msgid "no_check" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2346 msgid "" "The PAC must not be present and even if it is present no additional checks " "will be done." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2352 msgid "pac_present" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2354 msgid "" "The PAC must be present in the service ticket which SSSD will request with " "the help of the user's TGT. If the PAC is not available the authentication " "will fail." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2362 msgid "check_upn" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2364 msgid "" "If the PAC is present check if the user principal name (UPN) information is " "consistent." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2370 msgid "check_upn_allow_missing" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2372 msgid "" "This option should be used together with 'check_upn' and handles the case " "where a UPN is set on the server-side but is not read by SSSD. The typical " "example is a FreeIPA domain where 'ldap_user_principal' is set to a not " "existing attribute name. This was typically done to work-around issues in " "the handling of enterprise principals. But this is fixed since quite some " "time and FreeIPA can handle enterprise principals just fine and there is no " "need anymore to set 'ldap_user_principal'." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2384 msgid "" "Currently this option is set by default to avoid regressions in such " "environments. A log message will be added to the system log and SSSD's debug " "log in case a UPN is found in the PAC but not in SSSD's cache. To avoid this " "log message it would be best to evaluate if the 'ldap_user_principal' option " "can be removed. If this is not possible, removing 'check_upn' will skip the " "test and avoid the log message." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2398 msgid "upn_dns_info_present" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2400 msgid "The PAC must contain the UPN-DNS-INFO buffer, implies 'check_upn'." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2405 msgid "check_upn_dns_info_ex" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2407 msgid "" "If the PAC is present and the extension to the UPN-DNS-INFO buffer is " "available check if the information in the extension is consistent." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2414 msgid "upn_dns_info_ex_present" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2416 msgid "" "The PAC must contain the extension of the UPN-DNS-INFO buffer, implies " "'check_upn_dns_info_ex', 'upn_dns_info_present' and 'check_upn'." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2340 msgid "" "The following options can be used alone or in a comma-separated list: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2426 msgid "" "Default: no_check (AD and IPA provider 'check_upn, check_upn_allow_missing, " "check_upn_dns_info_ex')" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd.conf.5.xml:2435 msgid "Session recording configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd.conf.5.xml:2437 msgid "" "Session recording works in conjunction with <citerefentry> " "<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </" "citerefentry>, a part of tlog package, to log what users see and type when " "they log in on a text terminal. See also <citerefentry> <refentrytitle>sssd-" "session-recording</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd.conf.5.xml:2450 msgid "These options can be used to configure session recording." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.conf.5.xml:2454 sssd-session-recording.5.xml:64 msgid "scope (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2461 sssd-session-recording.5.xml:71 msgid "\"none\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2464 sssd-session-recording.5.xml:74 msgid "No users are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2469 sssd-session-recording.5.xml:79 msgid "\"some\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2472 sssd-session-recording.5.xml:82 msgid "" "Users/groups specified by <replaceable>users</replaceable> and " "<replaceable>groups</replaceable> options are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2481 sssd-session-recording.5.xml:91 msgid "\"all\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2484 sssd-session-recording.5.xml:94 msgid "All users are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2457 sssd-session-recording.5.xml:67 msgid "" "One of the following strings specifying the scope of session recording: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2491 sssd-session-recording.5.xml:101 msgid "Default: \"none\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.conf.5.xml:2496 sssd-session-recording.5.xml:106 msgid "users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2499 sssd-session-recording.5.xml:109 msgid "" "A comma-separated list of users which should have session recording enabled. " "Matches user names as returned by NSS. I.e. after the possible space " "replacement, case changes, etc." msgstr "" "Čárkou oddělovaný seznam uživatelů, kterým zapnout zaznamenávání relace. " "Shodující se uživatelská jména jsou vrácena z NSS. T.j. po možném nahrazení " "mezer, změně velikosti písmen, atd." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2505 sssd-session-recording.5.xml:115 msgid "Default: Empty. Matches no users." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.conf.5.xml:2510 sssd-session-recording.5.xml:120 msgid "groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2513 sssd-session-recording.5.xml:123 msgid "" "A comma-separated list of groups, members of which should have session " "recording enabled. Matches group names as returned by NSS. I.e. after the " "possible space replacement, case changes, etc." msgstr "" "Čárkou oddělovaný seznam skupin, dále členů, pro které zapnout zaznamenávání " "relace. Odpovídající názvy skupin jsou vráceny z NSS. Tj. po možném " "nahrazení mezer, změn velikosti písmen, atd." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2519 sssd.conf.5.xml:2551 sssd-session-recording.5.xml:129 #: sssd-session-recording.5.xml:161 msgid "" "NOTE: using this option (having it set to anything) has a considerable " "performance cost, because each uncached request for a user requires " "retrieving and matching the groups the user is member of." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2526 sssd-session-recording.5.xml:136 msgid "Default: Empty. Matches no groups." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.conf.5.xml:2531 sssd-session-recording.5.xml:141 #, fuzzy #| msgid "simple_deny_users (string)" msgid "exclude_users (string)" msgstr "simple_deny_users (řetězec)" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2534 sssd-session-recording.5.xml:144 msgid "" "A comma-separated list of users to be excluded from recording, only " "applicable with 'scope=all'." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2538 sssd-session-recording.5.xml:148 msgid "Default: Empty. No users excluded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.conf.5.xml:2543 sssd-session-recording.5.xml:153 #, fuzzy #| msgid "simple_deny_groups (string)" msgid "exclude_groups (string)" msgstr "simple_deny_groups (řetězec)" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2546 sssd-session-recording.5.xml:156 msgid "" "A comma-separated list of groups, members of which should be excluded from " "recording. Only applicable with 'scope=all'." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2558 sssd-session-recording.5.xml:168 msgid "Default: Empty. No groups excluded." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd.conf.5.xml:2568 msgid "DOMAIN SECTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para> #: sssd.conf.5.xml:2575 sssd.conf.5.xml:4054 sssd.conf.5.xml:4055 #: sssd.conf.5.xml:4058 msgid "enabled" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2578 msgid "" "Explicitly enable or disable the domain. If <quote>true</quote>, the domain " "is always <quote>enabled</quote>. If <quote>false</quote>, the domain is " "always <quote>disabled</quote>. If this option is not set, the domain is " "enabled only if it is listed in the domains option in the <quote>[sssd]</" "quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2590 msgid "domain_type (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2593 msgid "" "Specifies whether the domain is meant to be used by POSIX-aware clients such " "as the Name Service Switch or by applications that do not need POSIX data to " "be present or generated. Only objects from POSIX domains are available to " "the operating system interfaces and utilities." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2601 msgid "" "Allowed values for this option are <quote>posix</quote> and " "<quote>application</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2605 msgid "" "POSIX domains are reachable by all services. Application domains are only " "reachable from the InfoPipe responder (see <citerefentry> " "<refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</manvolnum> </" "citerefentry>) and the PAM responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2613 msgid "" "NOTE: The application domains are currently well tested with " "<quote>id_provider=ldap</quote> only." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2617 msgid "" "For an easy way to configure a non-POSIX domains, please see the " "<quote>Application domains</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2621 msgid "Default: posix" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2627 msgid "min_id,max_id (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2630 msgid "" "UID and GID limits for the domain. If a domain contains an entry that is " "outside these limits, it is ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2635 msgid "" "For users, this affects the primary GID limit. The user will not be returned " "to NSS if either the UID or the primary GID is outside the range. For non-" "primary group memberships, those that are in range will be reported as " "expected." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2642 msgid "" "These ID limits affect even saving entries to cache, not only returning them " "by name or ID." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2646 msgid "Default: 1 for min_id, 0 (no limit) for max_id" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2652 msgid "enumerate (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2655 msgid "" "Determines if a domain can be enumerated, that is, whether the domain can " "list all the users and group it contains. Note that it is not required to " "enable enumeration in order for secondary groups to be displayed. This " "parameter can have one of the following values:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2663 msgid "TRUE = Users and groups are enumerated" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2666 msgid "FALSE = No enumerations for this domain" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2669 sssd.conf.5.xml:2950 sssd.conf.5.xml:3127 msgid "Default: FALSE" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2672 msgid "" "Enumerating a domain requires SSSD to download and store ALL user and group " "entries from the remote server." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2677 msgid "" "Note: Enabling enumeration has a moderate performance impact on SSSD while " "enumeration is running. It may take up to several minutes after SSSD startup " "to fully complete enumerations. During this time, individual requests for " "information will go directly to LDAP, though it may be slow, due to the " "heavy enumeration processing. Saving a large number of entries to cache " "after the enumeration completes might also be CPU intensive as the " "memberships have to be recomputed. This can lead to the <quote>sssd_be</" "quote> process becoming unresponsive or even restarted by the internal " "watchdog." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2692 msgid "" "While the first enumeration is running, requests for the complete user or " "group lists may return no results until it completes." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2697 msgid "" "Further, enabling enumeration may increase the time necessary to detect " "network disconnection, as longer timeouts are required to ensure that " "enumeration lookups are completed successfully. For more information, refer " "to the man pages for the specific id_provider in use." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2705 msgid "" "For the reasons cited above, enabling enumeration is not recommended, " "especially in large environments." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2713 msgid "subdomain_enumerate (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2720 msgid "all" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2721 msgid "All discovered trusted domains will be enumerated" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2724 msgid "none" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2725 msgid "No discovered trusted domains will be enumerated" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2716 msgid "" "Whether any of autodetected trusted domains should be enumerated. The " "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> " "Optionally, a list of one or more domain names can enable enumeration just " "for these trusted domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2739 msgid "entry_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2742 msgid "" "How many seconds should nss_sss consider entries valid before asking the " "backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2746 msgid "" "The cache expiration timestamps are stored as attributes of individual " "objects in the cache. Therefore, changing the cache timeout only has effect " "for newly added or expired entries. You should run the <citerefentry> " "<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> </" "citerefentry> tool in order to force refresh of entries that have already " "been cached." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2759 msgid "Default: 5400" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2765 msgid "entry_cache_user_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2768 msgid "" "How many seconds should nss_sss consider user entries valid before asking " "the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2772 sssd.conf.5.xml:2785 sssd.conf.5.xml:2798 #: sssd.conf.5.xml:2811 sssd.conf.5.xml:2825 sssd.conf.5.xml:2838 #: sssd.conf.5.xml:2852 sssd.conf.5.xml:2866 sssd.conf.5.xml:2879 msgid "Default: entry_cache_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2778 msgid "entry_cache_group_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2781 msgid "" "How many seconds should nss_sss consider group entries valid before asking " "the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2791 msgid "entry_cache_netgroup_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2794 msgid "" "How many seconds should nss_sss consider netgroup entries valid before " "asking the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2804 msgid "entry_cache_service_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2807 msgid "" "How many seconds should nss_sss consider service entries valid before asking " "the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2817 msgid "entry_cache_resolver_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2820 msgid "" "How many seconds should nss_sss consider hosts and networks entries valid " "before asking the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2831 msgid "entry_cache_sudo_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2834 msgid "" "How many seconds should sudo consider rules valid before asking the backend " "again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2844 msgid "entry_cache_autofs_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2847 msgid "" "How many seconds should the autofs service consider automounter maps valid " "before asking the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2858 msgid "entry_cache_ssh_host_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2861 msgid "" "How many seconds to keep a host ssh key after refresh. IE how long to cache " "the host key for." msgstr "" "Kolik sekund ponechat ssh klíč hostitele po opětovném načtení. T.j. po jak " "dlouhou dobu ponechávat klíč hostitel v mezipaměti." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2872 msgid "entry_cache_computer_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2875 msgid "" "How many seconds to keep the local computer entry before asking the backend " "again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2885 msgid "refresh_expired_interval (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2888 msgid "" "Specifies how many seconds SSSD has to wait before triggering a background " "refresh task which will refresh all expired or nearly expired records." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2893 msgid "" "The background refresh will process users, groups and netgroups in the " "cache. For users who have performed the initgroups (get group membership for " "user, typically ran at login) operation in the past, both the user entry " "and the group membership are updated." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2901 msgid "This option is automatically inherited for all trusted domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2905 msgid "You can consider setting this value to 3/4 * entry_cache_timeout." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2909 msgid "" "Cache entry will be refreshed by background task when 2/3 of cache timeout " "has already passed. If there are existing cached entries, the background " "task will refer to their original cache timeout values instead of current " "configuration value. This may lead to a situation in which background " "refresh task appears to not be working. This is done by design to improve " "offline mode operation and reuse of existing valid cache entries. To make " "this change instant the user may want to manually invalidate existing cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2922 sssd-ldap.5.xml:361 sssd-ldap.5.xml:1738 #: sssd-ipa.5.xml:270 msgid "Default: 0 (disabled)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2928 msgid "cache_credentials (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2931 msgid "" "Determines if user credentials are also cached in the local LDB cache. The " "cached credentials refer to passwords, which includes the first (long term) " "factor of two-factor authentication, not other authentication mechanisms. " "Passkey and Smartcard authentications are expected to work offline as long " "as a successful online authentication is recorded in the cache without " "additional configuration." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2942 msgid "" "Take a note that while credentials are stored as a salted SHA512 hash, this " "still potentially poses some security risk in case an attacker manages to " "get access to a cache file (normally requires privileged access) and to " "break a password using brute force attack." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2956 msgid "cache_credentials_minimal_first_factor_length (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2959 msgid "" "If 2-Factor-Authentication (2FA) is used and credentials should be saved " "this value determines the minimal length the first authentication factor " "(long term password) must have to be saved as SHA512 hash into the cache." msgstr "" "Pokud je používáno dvoufaktorové ověřování (2FA) a přihlašovací údaje mají " "být ukládány, tato hodnota určuje nejkratší umožněnou délku pro hlavní " "faktor ověřování (dlouhodobé heslo), od které je třeba ho uložit jako SHA512 " "otisk do mezipaměti." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2966 msgid "" "This should avoid that the short PINs of a PIN based 2FA scheme are saved in " "the cache which would make them easy targets for brute-force attacks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2977 msgid "account_cache_expiration (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2980 msgid "" "Number of days entries are left in cache after last successful login before " "being removed during a cleanup of the cache. 0 means keep forever. The " "value of this parameter must be greater than or equal to " "offline_credentials_expiration." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2987 msgid "Default: 0 (unlimited)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2992 msgid "pwd_expiration_warning (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3003 msgid "" "Please note that the backend server has to provide information about the " "expiration time of the password. If this information is missing, sssd " "cannot display a warning. Also an auth provider has to be configured for the " "backend." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3010 msgid "Default: 7 (Kerberos), 0 (LDAP)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3016 msgid "id_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3019 msgid "" "The identification provider used for the domain. Supported ID providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3023 msgid "<quote>proxy</quote>: Support a legacy NSS provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3026 msgid "" "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-" "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " "information on how to mirror local users and groups into SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3034 msgid "" "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-" "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " "information on configuring LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3042 sssd.conf.5.xml:3153 sssd.conf.5.xml:3204 #: sssd.conf.5.xml:3267 msgid "" "<quote>ipa</quote>: FreeIPA and Red Hat Identity Management provider. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry> for more information on configuring FreeIPA." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3051 sssd.conf.5.xml:3162 sssd.conf.5.xml:3213 #: sssd.conf.5.xml:3276 msgid "" "<quote>ad</quote>: Active Directory provider. See <citerefentry> " "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" "citerefentry> for more information on configuring Active Directory." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3062 msgid "use_fully_qualified_names (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3065 msgid "" "Use the full name and domain (as formatted by the domain's full_name_format) " "as the user's login name reported to NSS." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3070 msgid "" "If set to TRUE, all requests to this domain must use fully qualified names. " "For example, if used in LOCAL domain that contains a \"test\" user, " "<command>getent passwd test</command> wouldn't find the user while " "<command>getent passwd test@LOCAL</command> would." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3078 msgid "" "NOTE: This option has no effect on netgroup lookups due to their tendency to " "include nested netgroups without qualified names. For netgroups, all domains " "will be searched when an unqualified name is requested." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3085 msgid "" "Default: FALSE (TRUE for trusted domain/sub-domains or if " "default_domain_suffix is used)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3092 msgid "ignore_group_members (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3095 msgid "Do not return group members for group lookups." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3098 msgid "" "If set to TRUE, the group membership attribute is not requested from the " "ldap server, and group members are not returned when processing group lookup " "calls, such as <citerefentry> <refentrytitle>getgrnam</refentrytitle> " "<manvolnum>3</manvolnum> </citerefentry> or <citerefentry> " "<refentrytitle>getgrgid</refentrytitle> <manvolnum>3</manvolnum> </" "citerefentry>. As an effect, <quote>getent group $groupname</quote> would " "return the requested group as if it was empty." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3116 msgid "" "Enabling this option can also make access provider checks for group " "membership significantly faster, especially for groups containing many " "members." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3122 sssd.conf.5.xml:3848 sssd-ldap.5.xml:327 #: sssd-ldap.5.xml:356 sssd-ldap.5.xml:409 sssd-ldap.5.xml:469 #: sssd-ldap.5.xml:490 sssd-ldap.5.xml:521 sssd-ldap.5.xml:544 #: sssd-ldap.5.xml:583 sssd-ldap.5.xml:602 sssd-ldap.5.xml:626 #: sssd-ldap.5.xml:1053 sssd-ldap.5.xml:1086 msgid "" "This option can be also set per subdomain or inherited via " "<emphasis>subdomain_inherit</emphasis>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3132 msgid "auth_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3135 msgid "" "The authentication provider used for the domain. Supported auth providers " "are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3139 sssd.conf.5.xml:3197 msgid "" "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" "citerefentry> for more information on configuring LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3146 msgid "" "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" "citerefentry> for more information on configuring Kerberos." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3170 msgid "" "<quote>proxy</quote> for relaying authentication to some other PAM target." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3173 msgid "<quote>none</quote> disables authentication explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3176 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can handle " "authentication requests." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3182 msgid "access_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3185 msgid "" "The access control provider used for the domain. There are two built-in " "access providers (in addition to any included in installed backends) " "Internal special providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3191 msgid "" "<quote>permit</quote> always allow access. It's the only permitted access " "provider for a local domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3194 msgid "<quote>deny</quote> always deny access." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3221 msgid "" "<quote>simple</quote> access control based on access or deny lists. See " "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</" "manvolnum></citerefentry> for more information on configuring the simple " "access module." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3228 msgid "" "<quote>krb5</quote>: .k5login based access control. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></" "citerefentry> for more information on configuring Kerberos." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3235 msgid "<quote>proxy</quote> for relaying access control to another PAM module." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3238 msgid "Default: <quote>permit</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3243 msgid "chpass_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3246 msgid "" "The provider which should handle change password operations for the domain. " "Supported change password providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3251 msgid "" "<quote>ldap</quote> to change a password stored in a LDAP server. See " "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry> for more information on configuring LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3259 msgid "" "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" "citerefentry> for more information on configuring Kerberos." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3284 msgid "" "<quote>proxy</quote> for relaying password changes to some other PAM target." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3288 msgid "<quote>none</quote> disallows password changes explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3291 msgid "" "Default: <quote>auth_provider</quote> is used if it is set and can handle " "change password requests." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3298 msgid "sudo_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3301 msgid "The SUDO provider used for the domain. Supported SUDO providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3305 msgid "" "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" "citerefentry> for more information on configuring LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3313 msgid "" "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default " "settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3317 msgid "" "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default " "settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3321 msgid "<quote>none</quote> disables SUDO explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3324 sssd.conf.5.xml:3410 sssd.conf.5.xml:3480 #: sssd.conf.5.xml:3505 sssd.conf.5.xml:3541 msgid "Default: The value of <quote>id_provider</quote> is used if it is set." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3328 msgid "" "The detailed instructions for configuration of sudo_provider are in the " "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry>. There are many configuration " "options that can be used to adjust the behavior. Please refer to " "\"ldap_sudo_*\" in <citerefentry> <refentrytitle>sssd-ldap</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3343 msgid "" "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the " "background unless the sudo provider is explicitly disabled. Set " "<emphasis>sudo_provider = None</emphasis> to disable all sudo-related " "activity in SSSD if you do not want to use sudo with SSSD at all." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3353 msgid "selinux_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3356 msgid "" "The provider which should handle loading of selinux settings. Note that this " "provider will be called right after access provider ends. Supported selinux " "providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3362 msgid "" "<quote>ipa</quote> to load selinux settings from an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry> for more information on configuring IPA." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3370 msgid "<quote>none</quote> disallows fetching selinux settings explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3373 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can handle " "selinux loading requests." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3379 msgid "subdomains_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3382 msgid "" "The provider which should handle fetching of subdomains. This value should " "be always the same as id_provider. Supported subdomain providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3388 msgid "" "<quote>ipa</quote> to load a list of subdomains from an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry> for more information on configuring IPA." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3397 msgid "" "<quote>ad</quote> to load a list of subdomains from an Active Directory " "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " "the AD provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3406 msgid "<quote>none</quote> disallows fetching subdomains explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3416 msgid "session_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3419 msgid "" "The provider which configures and manages user session related tasks. The " "only user session task currently provided is the integration with Fleet " "Commander, which works only with IPA. Supported session providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3426 msgid "<quote>ipa</quote> to allow performing user session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3430 msgid "" "<quote>none</quote> does not perform any kind of user session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3434 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can perform " "session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3438 msgid "" "<emphasis>NOTE:</emphasis> In order to have this feature working as expected " "SSSD must be running as \"root\" and not as the unprivileged user." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3446 msgid "autofs_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3449 msgid "" "The autofs provider used for the domain. Supported autofs providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3453 msgid "" "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" "citerefentry> for more information on configuring LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3460 msgid "" "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> " "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </" "citerefentry> for more information on configuring IPA." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3468 msgid "" "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> " "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" "citerefentry> for more information on configuring the AD provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3477 msgid "<quote>none</quote> disables autofs explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3487 msgid "hostid_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3490 msgid "" "The provider used for retrieving host identity information. Supported " "hostid providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3494 msgid "" "<quote>ipa</quote> to load host identity stored in an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry> for more information on configuring IPA." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3502 msgid "<quote>none</quote> disables hostid explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3512 msgid "resolver_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3515 msgid "" "The provider which should handle hosts and networks lookups. Supported " "resolver providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3519 msgid "" "<quote>proxy</quote> to forward lookups to another NSS library. See " "<quote>proxy_resolver_lib_name</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3523 msgid "" "<quote>ldap</quote> to fetch hosts and networks stored in LDAP. See " "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry> for more information on configuring LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3530 msgid "" "<quote>ad</quote> to fetch hosts and networks stored in AD. See " "<citerefentry> <refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry> for more information on configuring the AD " "provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3538 msgid "<quote>none</quote> disallows fetching hosts and networks explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3551 msgid "" "Regular expression for this domain that describes how to parse the string " "containing user name and domain into these components. The \"domain\" can " "match either the SSSD configuration domain name, or, in the case of IPA " "trust subdomains and Active Directory domains, the flat (NetBIOS) name of " "the domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3560 msgid "" "Default: <quote>^((?P<name>.+)@(?P<domain>[^@]*)|(?P<name>" "[^@]+))$</quote> which allows two different styles for user names:" msgstr "" # auto translated by TM merge from project: Fedora Websites, version: # fedorahosted.org, DocId: po/fedorahosted #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:3565 sssd.conf.5.xml:3579 msgid "username" msgstr "username" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:3568 sssd.conf.5.xml:3582 msgid "username@domain.name" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3573 msgid "" "Default for the AD and IPA provider: <quote>^(((?P<domain>[^\\\\]+)\\" "\\(?P<name>.+))|((?P<name>.+)@(?P<domain>[^@]+))|((?P<" "name>[^@\\\\]+)))$</quote> which allows three different styles for user " "names:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:3585 msgid "domain\\username" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3588 msgid "" "While the first two correspond to the general default the third one is " "introduced to allow easy integration of users from Windows domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3593 msgid "" "The default re_expression uses the <quote>@</quote> character as a separator " "between the name and the domain. As a result of this setting the default " "does not accept the <quote>@</quote> character in short names (as it is " "allowed in Windows group names). If a user wishes to use short names with " "<quote>@</quote> they must create their own re_expression." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3645 msgid "Default: <quote>%1$s@%2$s</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3651 msgid "lookup_family_order (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3654 msgid "" "Provides the ability to select preferred address family to use when " "performing DNS lookups." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3658 msgid "Supported values:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3661 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3664 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3667 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3670 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3673 msgid "Default: ipv4_first" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3679 #, fuzzy #| msgid "dns_resolver_timeout" msgid "dns_resolver_server_timeout (integer)" msgstr "dns_resolver_timeout" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3682 msgid "" "Defines the amount of time (in milliseconds) SSSD would try to talk to DNS " "server before trying next DNS server." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3687 msgid "" "The AD provider will use this option for the CLDAP ping timeouts as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3691 sssd.conf.5.xml:3711 sssd.conf.5.xml:3732 msgid "" "Please see the section <quote>FAILOVER</quote> for more information about " "the service resolution." msgstr "" #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3696 sssd-ldap.5.xml:645 include/failover.xml:84 msgid "Default: 1000" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3702 #, fuzzy #| msgid "dns_resolver_op_timeout" msgid "dns_resolver_op_timeout (integer)" msgstr "dns_resolver_op_timeout" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3705 msgid "" "Defines the amount of time (in seconds) to wait to resolve single DNS query " "(e.g. resolution of a hostname or an SRV record) before trying the next " "hostname or DNS discovery." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3722 msgid "dns_resolver_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3725 msgid "" "Defines the amount of time (in seconds) to wait for a reply from the " "internal fail over service before assuming that the service is unreachable. " "If this timeout is reached, the domain will continue to operate in offline " "mode." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3743 #, fuzzy #| msgid "dns_resolver_timeout" msgid "dns_resolver_use_search_list (bool)" msgstr "dns_resolver_timeout" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3746 msgid "" "Normally, the DNS resolver searches the domain list defined in the " "\"search\" directive from the resolv.conf file. This can lead to delays in " "environments with improperly configured DNS." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3752 msgid "" "If fully qualified domain names (or _srv_) are used in the SSSD " "configuration, setting this option to FALSE can prevent unnecessary DNS " "lookups in such environments." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3758 #, fuzzy #| msgid "Default: 3" msgid "Default: TRUE" msgstr "Výchozí: 3" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3764 msgid "dns_discovery_domain (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3767 msgid "" "If service discovery is used in the back end, specifies the domain part of " "the service discovery DNS query." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3771 msgid "Default: Use the domain part of machine's hostname" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3777 #, fuzzy #| msgid "dns_resolver_op_timeout" msgid "failover_primary_timeout (integer)" msgstr "dns_resolver_op_timeout" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3780 msgid "" "When no primary server is currently available, SSSD fail overs to a backup " "server. This option defines the amount of time (in seconds) to wait before " "SSSD tries to reconnect to a primary server again." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3787 msgid "Note: The minimum value is 31." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3790 #, fuzzy #| msgid "Default: 3" msgid "Default: 31" msgstr "Výchozí: 3" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3796 msgid "override_gid (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3799 msgid "Override the primary GID value with the one specified." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3805 msgid "case_sensitive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3812 msgid "True" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3815 msgid "Case sensitive. This value is invalid for AD provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3821 msgid "False" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3823 msgid "Case insensitive." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3827 msgid "Preserving" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3830 msgid "" "Same as False (case insensitive), but does not lowercase names in the result " "of NSS operations. Note that name aliases (and in case of services also " "protocol names) are still lowercased in the output." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3838 msgid "" "If you want to set this value for trusted domain with IPA provider, you need " "to set it on both the client and SSSD on the server." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3808 msgid "" "Treat user and group names as case sensitive. Possible option values are: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3853 msgid "Default: True (False for AD provider)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3859 msgid "subdomain_inherit (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3862 msgid "" "Specifies a list of configuration parameters that should be inherited by a " "subdomain. Please note that only selected parameters can be inherited. " "Currently the following options can be inherited:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3868 #, fuzzy #| msgid "dns_resolver_timeout" msgid "ldap_search_timeout" msgstr "dns_resolver_timeout" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3871 #, fuzzy #| msgid "dns_resolver_timeout" msgid "ldap_network_timeout" msgstr "dns_resolver_timeout" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3874 #, fuzzy #| msgid "dns_resolver_op_timeout" msgid "ldap_opt_timeout" msgstr "dns_resolver_op_timeout" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3877 #, fuzzy #| msgid "dns_resolver_timeout" msgid "ldap_offline_timeout" msgstr "dns_resolver_timeout" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3880 #, fuzzy #| msgid "dns_resolver_op_timeout" msgid "ldap_enumeration_refresh_timeout" msgstr "dns_resolver_op_timeout" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3883 msgid "ldap_enumeration_refresh_offset" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3886 msgid "ldap_purge_cache_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3889 msgid "ldap_purge_cache_offset" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3892 msgid "" "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab " "is not set explicitly)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3896 msgid "ldap_krb5_ticket_lifetime" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3899 #, fuzzy #| msgid "dns_resolver_op_timeout" msgid "ldap_enumeration_search_timeout" msgstr "dns_resolver_op_timeout" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3902 #, fuzzy #| msgid "dns_resolver_op_timeout" msgid "ldap_connection_expire_timeout" msgstr "dns_resolver_op_timeout" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3905 #, fuzzy #| msgid "dns_resolver_op_timeout" msgid "ldap_connection_expire_offset" msgstr "dns_resolver_op_timeout" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3908 msgid "ldap_connection_idle_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3911 sssd-ldap.5.xml:401 msgid "ldap_use_tokengroups" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3914 msgid "ldap_user_principal" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3917 msgid "ignore_group_members" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3920 msgid "auto_private_groups" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3923 msgid "case_sensitive" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> #: sssd.conf.5.xml:3928 #, no-wrap msgid "" "subdomain_inherit = ldap_purge_cache_timeout\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3935 msgid "Note: This option only works with the IPA and AD provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3942 msgid "subdomain_homedir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3953 msgid "%F" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3954 msgid "flat (NetBIOS) name of a subdomain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3945 msgid "" "Use this homedir as default value for all subdomains within this domain in " "IPA AD trust. See <emphasis>override_homedir</emphasis> for info about " "possible values. In addition to those, the expansion below can only be used " "with <emphasis>subdomain_homedir</emphasis>. <placeholder " "type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3959 msgid "" "The value can be overridden by <emphasis>override_homedir</emphasis> option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3963 msgid "Default: <filename>/home/%d/%u</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3968 msgid "realmd_tags (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3971 msgid "" "Various tags stored by the realmd configuration service for this domain." msgstr "Různé štítky uložené službou nastavování realmd pro tuto doménu." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3977 msgid "cached_auth_timeout (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3980 msgid "" "Specifies time in seconds since last successful online authentication for " "which user will be authenticated using cached credentials while SSSD is in " "the online mode. If the credentials are incorrect, SSSD falls back to online " "authentication." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3988 msgid "" "This option's value is inherited by all trusted domains. At the moment it is " "not possible to set a different value per trusted domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3993 msgid "Special value 0 implies that this feature is disabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3997 msgid "" "Please note that if <quote>cached_auth_timeout</quote> is longer than " "<quote>pam_id_timeout</quote> then the back end could be called to handle " "<quote>initgroups.</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4008 #, fuzzy #| msgid "simple_deny_users (string)" msgid "local_auth_policy (string)" msgstr "simple_deny_users (řetězec)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4011 msgid "" "Local authentication methods policy. Some backends (i.e. LDAP, proxy " "provider) only support a password based authentication, while others can " "handle PKINIT based Smartcard authentication (AD, IPA), two-factor " "authentication (IPA), or other methods against a central instance. By " "default in such cases authentication is only performed with the methods " "supported by the backend. With this option additional methods can be enabled " "which are evaluated and checked locally." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4023 msgid "" "There are three possible values for this option: match, only, enable. " "<quote>match</quote> is used to match offline and online states for Kerberos " "methods. <quote>only</quote> ignores the online methods and only offer the " "local ones. enable allows explicitly defining the methods for local " "authentication. As an example, <quote>enable:passkey</quote>, only enables " "passkey for local authentication. Multiple enable values should be comma-" "separated, such as <quote>enable:passkey, enable:smartcard</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4036 msgid "" "The following table shows which authentication methods, if configured " "properly, are currently enabled or disabled for each backend, with the " "default local_auth_policy: <quote>match</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry> #: sssd.conf.5.xml:4049 #, fuzzy #| msgid "simple_deny_users (string)" msgid "local_auth_policy = match (default)" msgstr "simple_deny_users (řetězec)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry> #: sssd.conf.5.xml:4050 msgid "Passkey" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry> #: sssd.conf.5.xml:4051 msgid "Smartcard" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:4054 sssd-ldap.5.xml:189 msgid "IPA" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:4057 sssd-ldap.5.xml:194 msgid "AD" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para> #: sssd.conf.5.xml:4057 sssd.conf.5.xml:4060 sssd.conf.5.xml:4061 msgid "disabled" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry> #: sssd.conf.5.xml:4060 msgid "LDAP" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4065 msgid "" "Please note that if local Smartcard authentication is enabled and a " "Smartcard is present, Smartcard authentication will be preferred over the " "authentication methods supported by the backend. I.e. there will be a PIN " "prompt instead of e.g. a password prompt." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> #: sssd.conf.5.xml:4077 #, no-wrap msgid "" "[domain/shadowutils]\n" "id_provider = proxy\n" "proxy_lib_name = files\n" "auth_provider = none\n" "local_auth_policy = only\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4073 msgid "" "The following configuration example allows local users to authenticate " "locally using any enabled method (i.e. smartcard, passkey). <placeholder " "type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4085 msgid "" "It is expected that the <quote>files</quote> provider ignores the " "local_auth_policy option and supports Smartcard authentication by default." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4090 #, fuzzy #| msgid "Default: 3" msgid "Default: match" msgstr "Výchozí: 3" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4095 msgid "auto_private_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4101 msgid "true" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4104 msgid "" "Create user's private group unconditionally from user's UID number. The GID " "number is ignored in this case." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4108 msgid "" "NOTE: Because the GID number and the user private group are inferred from " "the UID number, it is not supported to have multiple entries with the same " "UID or GID number with this option. In other words, enabling this option " "enforces uniqueness across the ID space." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4117 msgid "false" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4120 msgid "" "Always use the user's primary GID number. The GID number must refer to a " "group object in the LDAP database." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4126 msgid "hybrid" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4129 msgid "" "A primary group is autogenerated for user entries whose UID and GID numbers " "have the same value and at the same time the GID number does not correspond " "to a real group object in LDAP. If the values are the same, but the primary " "GID in the user entry is also used by a group object, the primary GID of the " "user resolves to that group object." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4142 msgid "" "If the UID and GID of a user are different, then the GID must correspond to " "a group entry, otherwise the GID is simply not resolvable." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4149 msgid "" "This feature is useful for environments that wish to stop maintaining a " "separate group objects for the user private groups, but also wish to retain " "the existing user private groups." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4098 msgid "" "This option takes any of three available values: <placeholder " "type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4161 msgid "" "For subdomains, the default value is False for subdomains that use assigned " "POSIX IDs and True for subdomains that use automatic ID-mapping." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> #: sssd.conf.5.xml:4169 #, no-wrap msgid "" "[domain/forest.domain/sub.domain]\n" "auto_private_groups = false\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> #: sssd.conf.5.xml:4175 #, no-wrap msgid "" "[domain/forest.domain]\n" "subdomain_inherit = auto_private_groups\n" "auto_private_groups = false\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4166 msgid "" "The value of auto_private_groups can either be set per subdomains in a " "subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or " "globally for all subdomains in the main domain section using the " "subdomain_inherit option: <placeholder type=\"programlisting\" id=\"1\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:2570 msgid "" "These configuration options can be present in a domain configuration " "section, that is, in a section called <quote>[domain/<replaceable>NAME</" "replaceable>]</quote> <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4190 msgid "proxy_pam_target (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4193 msgid "The proxy target PAM proxies to." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4196 msgid "" "Default: not set by default, you have to take an existing pam configuration " "or create a new one and add the service name here. As an alternative you can " "enable local authentication with the local_auth_policy option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4206 msgid "proxy_lib_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4209 msgid "" "The name of the NSS library to use in proxy domains. The NSS functions " "searched for in the library are in the form of _nss_$(libName)_$(function), " "for example _nss_files_getpwent." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4219 msgid "proxy_resolver_lib_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4222 msgid "" "The name of the NSS library to use for hosts and networks lookups in proxy " "domains. The NSS functions searched for in the library are in the form of " "_nss_$(libName)_$(function), for example _nss_dns_gethostbyname2_r." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4233 msgid "proxy_fast_alias (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4236 msgid "" "When a user or group is looked up by name in the proxy provider, a second " "lookup by ID is performed to \"canonicalize\" the name in case the requested " "name was an alias. Setting this option to true would cause the SSSD to " "perform the ID lookup from cache for performance reasons." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4250 msgid "proxy_max_children (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4253 msgid "" "This option specifies the number of pre-forked proxy children. It is useful " "for high-load SSSD environments where sssd may run out of available child " "slots, which would cause some issues due to the requests being queued." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4186 msgid "" "Options valid for proxy domains. <placeholder type=\"variablelist\" " "id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd.conf.5.xml:4269 msgid "Application domains" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd.conf.5.xml:4271 msgid "" "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to " "applications as a gateway to an LDAP directory where users and groups are " "stored. However, contrary to the traditional SSSD deployment where all users " "and groups either have POSIX attributes or those attributes can be inferred " "from the Windows SIDs, in many cases the users and groups in the application " "support scenario have no POSIX attributes. Instead of setting a " "<quote>[domain/<replaceable>NAME</replaceable>]</quote> section, the " "administrator can set up an <quote>[application/<replaceable>NAME</" "replaceable>]</quote> section that internally represents a domain with type " "<quote>application</quote> optionally inherits settings from a tradition " "SSSD domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd.conf.5.xml:4291 msgid "" "Please note that the application domain must still be explicitly enabled in " "the <quote>domains</quote> parameter so that the lookup order between the " "application domain and its POSIX sibling domain is set correctly." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> #: sssd.conf.5.xml:4297 msgid "Application domain parameters" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:4299 msgid "inherit_from (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4302 msgid "" "The SSSD POSIX-type domain the application domain inherits all settings " "from. The application domain can moreover add its own settings to the " "application settings that augment or override the <quote>sibling</quote> " "domain settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd.conf.5.xml:4316 msgid "" "The following example illustrates the use of an application domain. In this " "setup, the POSIX domain is connected to an LDAP server and is used by the OS " "through the NSS responder. In addition, the application domain also requests " "the telephoneNumber attribute, stores it as the phone attribute in the cache " "and makes the phone attribute reachable through the D-Bus interface." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting> #: sssd.conf.5.xml:4324 #, no-wrap msgid "" "[sssd]\n" "domains = appdom, posixdom\n" "\n" "[ifp]\n" "user_attributes = +phone\n" "\n" "[domain/posixdom]\n" "id_provider = ldap\n" "ldap_uri = ldap://ldap.example.com\n" "ldap_search_base = dc=example,dc=com\n" "\n" "[application/appdom]\n" "inherit_from = posixdom\n" "ldap_user_extra_attrs = phone:telephoneNumber\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd.conf.5.xml:4344 msgid "TRUSTED DOMAIN SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4346 msgid "" "Some options used in the domain section can also be used in the trusted " "domain section, that is, in a section called <quote>[domain/" "<replaceable>DOMAIN_NAME</replaceable>/<replaceable>TRUSTED_DOMAIN_NAME</" "replaceable>]</quote>. Where DOMAIN_NAME is the actual joined-to base " "domain. Please refer to examples below for explanation. Currently supported " "options in the trusted domain section are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4353 msgid "ldap_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4354 msgid "ldap_user_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4355 msgid "ldap_group_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4356 msgid "ldap_netgroup_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4357 msgid "ldap_service_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4358 msgid "ldap_sasl_mech," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4359 msgid "ad_server," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4360 msgid "ad_backup_server," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4361 msgid "ad_site," msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:4362 sssd-ipa.5.xml:884 msgid "use_fully_qualified_names" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4366 msgid "" "For more details about these options see their individual description in the " "manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd.conf.5.xml:4372 msgid "CERTIFICATE MAPPING SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4374 msgid "" "To allow authentication with Smartcards and certificates SSSD must be able " "to map certificates to users. This can be done by adding the full " "certificate to the LDAP object of the user or to a local override. While " "using the full certificate is required to use the Smartcard authentication " "feature of SSH (see <citerefentry> <refentrytitle>sss_ssh_authorizedkeys</" "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> for details) it " "might be cumbersome or not even possible to do this for the general case " "where local services use PAM for authentication." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4388 msgid "" "To make the mapping more flexible mapping and matching rules were added to " "SSSD (see <citerefentry> <refentrytitle>sss-certmap</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry> for details)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4397 msgid "" "A mapping and matching rule can be added to the SSSD configuration in a " "section on its own with a name like <quote>[certmap/" "<replaceable>DOMAIN_NAME</replaceable>/<replaceable>RULE_NAME</" "replaceable>]</quote>. In this section the following options are allowed:" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.conf.5.xml:4404 msgid "matchrule (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4407 msgid "" "Only certificates from the Smartcard which matches this rule will be " "processed, all others are ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4411 msgid "" "Default: KRB5:<EKU>clientAuth, i.e. only certificates which have the " "Extended Key Usage <quote>clientAuth</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.conf.5.xml:4418 msgid "maprule (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4421 msgid "Defines how the user is found for a given certificate." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:4427 msgid "" "LDAP:(userCertificate;binary={cert!bin}) for LDAP based providers like " "<quote>ldap</quote>, <quote>AD</quote> or <quote>ipa</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:4433 msgid "" "The RULE_NAME for the <quote>files</quote> provider which tries to find a " "user with the same name." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.conf.5.xml:4442 msgid "domains (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4445 msgid "" "Comma separated list of domain names the rule should be applied. By default " "a rule is only valid in the domain configured in sssd.conf. If the provider " "supports subdomains this option can be used to add the rule to subdomains as " "well." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4452 msgid "Default: the configured domain in sssd.conf" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.conf.5.xml:4457 msgid "priority (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4460 msgid "" "Unsigned integer value defining the priority of the rule. The higher the " "number the lower the priority. <quote>0</quote> stands for the highest " "priority while <quote>4294967295</quote> is the lowest." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4466 msgid "Default: the lowest priority" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4472 msgid "" "To make the configuration simple and reduce the amount of configuration " "options the <quote>files</quote> provider has some special properties:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:4478 msgid "" "if maprule is not set the RULE_NAME name is assumed to be the name of the " "matching user" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:4484 msgid "" "if a maprule is used both a single user name or a template like " "<quote>{subject_rfc822_name.short_name}</quote> must be in braces like e.g. " "<quote>(username)</quote> or <quote>({subject_rfc822_name.short_name})</" "quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:4493 msgid "the <quote>domains</quote> option is ignored" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd.conf.5.xml:4501 msgid "PROMPTING CONFIGURATION SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4503 msgid "" "If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</" "filename>) exists SSSD's PAM module pam_sss will ask SSSD to figure out " "which authentication methods are available for the user trying to log in. " "Based on the results pam_sss will prompt the user for appropriate " "credentials." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4511 msgid "" "With the growing number of authentication methods and the possibility that " "there are multiple ones for a single user the heuristic used by pam_sss to " "select the prompting might not be suitable for all use cases. The following " "options should provide a better flexibility here." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4523 msgid "[prompting/password]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4526 msgid "password_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4527 msgid "to change the string of the password prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4525 msgid "" "to configure password prompting, allowed options are: <placeholder " "type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4535 msgid "[prompting/2fa]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4539 msgid "first_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4540 msgid "to change the string of the prompt for the first factor" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4543 msgid "second_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4544 msgid "to change the string of the prompt for the second factor" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4547 msgid "single_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4548 msgid "" "boolean value, if True there will be only a single prompt using the value of " "first_prompt where it is expected that both factors are entered as a single " "string. Please note that both factors have to be entered here, even if the " "second factor is optional." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4537 msgid "" "to configure two-factor authentication prompting, allowed options are: " "<placeholder type=\"variablelist\" id=\"0\"/> If the second factor is " "optional and it should be possible to log in either only with the password " "or with both factors two-step prompting has to be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4565 msgid "[prompting/passkey]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:4571 sssd-ad.5.xml:1021 msgid "interactive" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4573 msgid "" "boolean value, if True prompt a message and wait before testing the presence " "of a passkey device. Recommended if your device doesn’t have a tactile " "trigger." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4581 msgid "interactive_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4583 msgid "to change the message of the interactive prompt." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4588 msgid "touch" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4590 msgid "" "boolean value, if True prompt a message to remind the user to touch the " "device." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4596 msgid "touch_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4598 msgid "to change the message of the touch prompt." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4567 msgid "" "to configure passkey authentication prompting, allowed options are: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4518 msgid "" "Each supported authentication method has its own configuration subsection " "under <quote>[prompting/...]</quote>. Currently there are: <placeholder " "type=\"variablelist\" id=\"0\"/> <placeholder type=\"variablelist\" id=\"1\"/" "> <placeholder type=\"variablelist\" id=\"2\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4609 msgid "" "It is possible to add a subsection for specific PAM services, e.g. " "<quote>[prompting/password/sshd]</quote> to individual change the prompting " "for this service." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd.conf.5.xml:4616 pam_sss_gss.8.xml:157 idmap_sss.8.xml:43 msgid "EXAMPLES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd.conf.5.xml:4622 #, no-wrap msgid "" "[sssd]\n" "domains = LDAP\n" "services = nss, pam\n" "config_file_version = 2\n" "\n" "[nss]\n" "filter_groups = root\n" "filter_users = root\n" "\n" "[pam]\n" "\n" "[domain/LDAP]\n" "id_provider = ldap\n" "ldap_uri = ldap://ldap.example.com\n" "ldap_search_base = dc=example,dc=com\n" "\n" "auth_provider = krb5\n" "krb5_server = kerberos.example.com\n" "krb5_realm = EXAMPLE.COM\n" "cache_credentials = true\n" "\n" "min_id = 10000\n" "max_id = 20000\n" "enumerate = False\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4618 msgid "" "1. The following example shows a typical SSSD config. It does not describe " "configuration of the domains themselves - refer to documentation on " "configuring domains for more details. <placeholder type=\"programlisting\" " "id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd.conf.5.xml:4655 #, no-wrap msgid "" "[domain/ipa.com/child.ad.com]\n" "use_fully_qualified_names = false\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4649 msgid "" "2. The following example shows configuration of IPA AD trust where the AD " "forest consists of two domains in a parent-child structure. Suppose IPA " "domain (ipa.com) has trust with AD domain(ad.com). ad.com has child domain " "(child.ad.com). To enable shortnames in the child domain the following " "configuration should be used. <placeholder type=\"programlisting\" id=\"0\"/" ">" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd.conf.5.xml:4666 #, no-wrap msgid "" "[certmap/my.domain/rule_name]\n" "matchrule = <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$\n" "maprule = (userCertificate;binary={cert!bin})\n" "domains = my.domain, your.domain\n" "priority = 10\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4660 msgid "" "3. The following example shows the configuration of a certificate mapping " "rule. It is valid for the configured domain <quote>my.domain</quote> and " "additionally for the subdomains <quote>your.domain</quote> and uses the full " "certificate in the search filter. <placeholder type=\"programlisting\" " "id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssd-ldap.5.xml:10 sssd-ldap.5.xml:16 msgid "sssd-ldap" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sssd-ldap.5.xml:17 msgid "SSSD LDAP provider" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap.5.xml:21 pam_sss.8.xml:63 pam_sss_gss.8.xml:30 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sss-certmap.5.xml:21 #: sssd-ipa.5.xml:21 sssd-ad.5.xml:21 sssd-sudo.5.xml:21 sssd.8.xml:29 #: sss_obfuscate.8.xml:30 sss_override.8.xml:30 sssd-krb5.5.xml:21 #: sss_cache.8.xml:29 sss_debuglevel.8.xml:30 sss_seed.8.xml:31 #: sssd-ifp.5.xml:21 sss_ssh_authorizedkeys.1.xml:30 #: sss_ssh_knownhostsproxy.1.xml:31 idmap_sss.8.xml:20 sssctl.8.xml:30 #: sssd-files.5.xml:21 sssd-session-recording.5.xml:21 sssd-kcm.8.xml:21 #: sssd-systemtap.5.xml:21 sssd-ldap-attributes.5.xml:21 #: sssd_krb5_localauth_plugin.8.xml:20 msgid "DESCRIPTION" msgstr "POPIS" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ldap.5.xml:23 msgid "" "This manual page describes the configuration of LDAP domains for " "<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " "</citerefentry>. Refer to the <quote>FILE FORMAT</quote> section of the " "<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry> manual page for detailed syntax information." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ldap.5.xml:35 msgid "You can configure SSSD to use more than one LDAP domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ldap.5.xml:38 msgid "" "LDAP back end supports id, auth, access and chpass providers. If you want to " "authenticate against an LDAP server either TLS/SSL or LDAPS is required. " "<command>sssd</command> <emphasis>does not</emphasis> support authentication " "over an unencrypted channel. Even if the LDAP server is used only as an " "identity provider, an encrypted channel is strongly recommended. Please " "refer to <quote>ldap_access_filter</quote> config option for more " "information about using LDAP as an access provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap.5.xml:50 sssd-simple.5.xml:69 sssd-ipa.5.xml:82 sssd-ad.5.xml:130 #: sssd-krb5.5.xml:63 sssd-ifp.5.xml:60 sssd-files.5.xml:77 #: sssd-session-recording.5.xml:58 sssd-kcm.8.xml:202 msgid "CONFIGURATION OPTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:67 msgid "ldap_uri, ldap_backup_uri (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:70 msgid "" "Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " "should connect in the order of preference. Refer to the <quote>FAILOVER</" "quote> section for more information on failover and server redundancy. If " "neither option is specified, service discovery is enabled. For more " "information, refer to the <quote>SERVICE DISCOVERY</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:77 msgid "The format of the URI must match the format defined in RFC 2732:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:80 msgid "ldap[s]://<host>[:port]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:83 msgid "" "For explicit IPv6 addresses, <host> must be enclosed in brackets []" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:86 msgid "example: ldap://[fc00::126:25]:389" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:92 msgid "ldap_chpass_uri, ldap_chpass_backup_uri (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:95 msgid "" "Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " "should connect in the order of preference to change the password of a user. " "Refer to the <quote>FAILOVER</quote> section for more information on " "failover and server redundancy." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:102 msgid "To enable service discovery ldap_chpass_dns_service_name must be set." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:106 msgid "Default: empty, i.e. ldap_uri is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:112 msgid "ldap_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:115 msgid "The default base DN to use for performing LDAP user operations." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:119 msgid "" "Starting with SSSD 1.7.0, SSSD supports multiple search bases using the " "syntax:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:123 msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:126 msgid "The scope can be one of \"base\", \"onelevel\" or \"subtree\"." msgstr "" #. type: Content of: <listitem><para> #: sssd-ldap.5.xml:129 include/ldap_search_bases.xml:18 msgid "" "The filter must be a valid LDAP search filter as specified by http://www." "ietf.org/rfc/rfc2254.txt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:133 sssd-ad.5.xml:311 sss_override.8.xml:143 #: sss_override.8.xml:240 sssd-ldap-attributes.5.xml:453 msgid "Examples:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:136 msgid "" "ldap_search_base = dc=example,dc=com (which is equivalent to) " "ldap_search_base = dc=example,dc=com?subtree?" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:141 msgid "" "ldap_search_base = cn=host_specific,dc=example,dc=com?subtree?" "(host=thishost)?dc=example.com?subtree?" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:144 msgid "" "Note: It is unsupported to have multiple search bases which reference " "identically-named objects (for example, groups with the same name in two " "different search bases). This will lead to unpredictable behavior on client " "machines." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:151 msgid "" "Default: If not set, the value of the defaultNamingContext or namingContexts " "attribute from the RootDSE of the LDAP server is used. If " "defaultNamingContext does not exist or has an empty value namingContexts is " "used. The namingContexts attribute must have a single value with the DN of " "the search base of the LDAP server to make this work. Multiple values are " "are not supported." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:165 msgid "ldap_schema (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:168 msgid "" "Specifies the Schema Type in use on the target LDAP server. Depending on " "the selected schema, the default attribute names retrieved from the servers " "may vary. The way that some attributes are handled may also differ." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:175 msgid "Four schema types are currently supported:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ldap.5.xml:179 msgid "rfc2307" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ldap.5.xml:184 msgid "rfc2307bis" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:200 msgid "" "The main difference between these schema types is how group memberships are " "recorded in the server. With rfc2307, group members are listed by name in " "the <emphasis>memberUid</emphasis> attribute. With rfc2307bis and IPA, " "group members are listed by DN and stored in the <emphasis>member</emphasis> " "attribute. The AD schema type sets the attributes to correspond with Active " "Directory 2008r2 values." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:210 msgid "Default: rfc2307" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:216 msgid "ldap_pwmodify_mode (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:219 msgid "Specify the operation that is used to modify user password." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:223 msgid "Two modes are currently supported:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ldap.5.xml:227 msgid "exop - Password Modify Extended Operation (RFC 3062)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ldap.5.xml:233 msgid "ldap_modify - Direct modification of userPassword (not recommended)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:240 msgid "" "Note: First, a new connection is established to verify current password by " "binding as the user that requested password change. If successful, this " "connection is used to change the password therefore the user must have write " "access to userPassword attribute." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:248 msgid "Default: exop" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:254 msgid "ldap_default_bind_dn (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:257 msgid "The default bind DN to use for performing LDAP operations." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:264 msgid "ldap_default_authtok_type (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:267 msgid "The type of the authentication token of the default bind DN." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:271 msgid "The two mechanisms currently supported are:" msgstr "" # auto translated by TM merge from project: FreeIPA, version: ipa-4-5, DocId: # po/ipa #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:274 msgid "password" msgstr "heslo" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:277 msgid "obfuscated_password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:280 msgid "Default: password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:283 msgid "" "See the <citerefentry> <refentrytitle>sss_obfuscate</refentrytitle> " "<manvolnum>8</manvolnum> </citerefentry> manual page for more information." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:294 msgid "ldap_default_authtok (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:297 msgid "The authentication token of the default bind DN." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:303 msgid "ldap_force_upper_case_realm (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:306 msgid "" "Some directory servers, for example Active Directory, might deliver the " "realm part of the UPN in lower case, which might cause the authentication to " "fail. Set this option to a non-zero value if you want to use an upper-case " "realm." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:319 msgid "ldap_enumeration_refresh_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:322 msgid "" "Specifies how many seconds SSSD has to wait before refreshing its cache of " "enumerated records." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:338 msgid "ldap_purge_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:341 msgid "" "Determine how often to check the cache for inactive entries (such as groups " "with no members and users who have never logged in) and remove them to save " "space." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:347 msgid "" "Setting this option to zero will disable the cache cleanup operation. Please " "note that if enumeration is enabled, the cleanup task is required in order " "to detect entries removed from the server and can't be disabled. By default, " "the cleanup task will run every 3 hours with enumeration enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:367 msgid "ldap_group_nesting_level (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:370 msgid "" "If ldap_schema is set to a schema format that supports nested groups (e.g. " "RFC2307bis), then this option controls how many levels of nesting SSSD will " "follow. This option has no effect on the RFC2307 schema." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:377 msgid "" "Note: This option specifies the guaranteed level of nested groups to be " "processed for any lookup. However, nested groups beyond this limit " "<emphasis>may be</emphasis> returned if previous lookups already resolved " "the deeper nesting levels. Also, subsequent lookups for other groups may " "enlarge the result set for original lookup if re-queried." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:386 msgid "" "If ldap_group_nesting_level is set to 0 then no nested groups are processed " "at all. However, when connected to Active-Directory Server 2008 and later " "using <quote>id_provider=ad</quote> it is furthermore required to disable " "usage of Token-Groups by setting ldap_use_tokengroups to false in order to " "restrict group nesting." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:395 msgid "Default: 2" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:404 msgid "" "This options enables or disables use of Token-Groups attribute when " "performing initgroup for users from Active Directory Server 2008 and later." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:414 msgid "Default: True for AD and IPA otherwise False." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:420 msgid "ldap_host_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:423 msgid "Optional. Use the given string as search base for host objects." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:427 sssd-ipa.5.xml:462 sssd-ipa.5.xml:481 sssd-ipa.5.xml:500 #: sssd-ipa.5.xml:519 msgid "" "See <quote>ldap_search_base</quote> for information about configuring " "multiple search bases." msgstr "" #. type: Content of: <listitem><para> #: sssd-ldap.5.xml:432 sssd-ipa.5.xml:467 include/ldap_search_bases.xml:27 msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:439 msgid "ldap_service_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:444 msgid "ldap_iphost_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:449 msgid "ldap_ipnetwork_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:454 msgid "ldap_search_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:457 msgid "" "Specifies the timeout (in seconds) that ldap searches are allowed to run " "before they are cancelled and cached results are returned (and offline mode " "is entered)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:463 msgid "" "Note: this option is subject to change in future versions of the SSSD. It " "will likely be replaced at some point by a series of timeouts for specific " "lookup types." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:480 msgid "ldap_enumeration_search_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:483 msgid "" "Specifies the timeout (in seconds) that ldap searches for user and group " "enumerations are allowed to run before they are cancelled and cached results " "are returned (and offline mode is entered)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:501 msgid "ldap_network_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:504 msgid "" "Specifies the timeout (in seconds) after which the <citerefentry> " "<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" "<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" "manvolnum> </citerefentry> following a <citerefentry> " "<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" "citerefentry> returns in case of no activity." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:532 msgid "ldap_opt_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:535 msgid "" "Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " "will abort if no response is received. Also controls the timeout when " "communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " "operation, password change extended operation and the StartTLS operation." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:555 msgid "ldap_connection_expire_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:558 msgid "" "Specifies a timeout (in seconds) that a connection to an LDAP server will be " "maintained. After this time, the connection will be re-established. If used " "in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " "the TGT lifetime) will be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:566 msgid "" "If the connection is idle (not actively running an operation) within " "<emphasis>ldap_opt_timeout</emphasis> seconds of expiration, then it will be " "closed early to ensure that a new query cannot require the connection to " "remain open past its expiration. This implies that connections will always " "be closed immediately and will never be reused if " "<emphasis>ldap_connection_expire_timeout <= ldap_opt_timout</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:578 msgid "" "This timeout can be extended of a random value specified by " "<emphasis>ldap_connection_expire_offset</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:588 sssd-ldap.5.xml:631 sssd-ldap.5.xml:1713 msgid "Default: 900 (15 minutes)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:594 msgid "ldap_connection_expire_offset (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:597 msgid "" "Random offset between 0 and configured value is added to " "<emphasis>ldap_connection_expire_timeout</emphasis>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:613 #, fuzzy #| msgid "dns_resolver_op_timeout" msgid "ldap_connection_idle_timeout (integer)" msgstr "dns_resolver_op_timeout" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:616 msgid "" "Specifies a timeout (in seconds) that an idle connection to an LDAP server " "will be maintained. If the connection is idle for more than this time then " "the connection will be closed." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:622 msgid "You can disable this timeout by setting the value to 0." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:637 msgid "ldap_page_size (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:640 msgid "" "Specify the number of records to retrieve from LDAP in a single request. " "Some LDAP servers enforce a maximum limit per-request." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:651 msgid "ldap_disable_paging (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:654 msgid "" "Disable the LDAP paging control. This option should be used if the LDAP " "server reports that it supports the LDAP paging control in its RootDSE but " "it is not enabled or does not behave properly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:660 msgid "" "Example: OpenLDAP servers with the paging control module installed on the " "server but not enabled will report it in the RootDSE but be unable to use it." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:666 msgid "" "Example: 389 DS has a bug where it can only support a one paging control at " "a time on a single connection. On busy clients, this can result in some " "requests being denied." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:678 msgid "ldap_disable_range_retrieval (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:681 msgid "Disable Active Directory range retrieval." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:684 msgid "" "Active Directory limits the number of members to be retrieved in a single " "lookup using the MaxValRange policy (which defaults to 1500 members). If a " "group contains more members, the reply would include an AD-specific range " "extension. This option disables parsing of the range extension, therefore " "large groups will appear as having no members." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:699 msgid "ldap_sasl_minssf (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:702 msgid "" "When communicating with an LDAP server using SASL, specify the minimum " "security level necessary to establish the connection. The values of this " "option are defined by OpenLDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:708 sssd-ldap.5.xml:724 msgid "Default: Use the system default (usually specified by ldap.conf)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:715 msgid "ldap_sasl_maxssf (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:718 msgid "" "When communicating with an LDAP server using SASL, specify the maximal " "security level necessary to establish the connection. The values of this " "option are defined by OpenLDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:731 msgid "ldap_deref_threshold (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:734 msgid "" "Specify the number of group members that must be missing from the internal " "cache in order to trigger a dereference lookup. If less members are missing, " "they are looked up individually." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:740 msgid "" "You can turn off dereference lookups completely by setting the value to 0. " "Please note that there are some codepaths in SSSD, like the IPA HBAC " "provider, that are only implemented using the dereference call, so even with " "dereference explicitly disabled, those parts will still use dereference if " "the server supports it and advertises the dereference control in the rootDSE " "object." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:751 msgid "" "A dereference lookup is a means of fetching all group members in a single " "LDAP call. Different LDAP servers may implement different dereference " "methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " "Directory." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:759 msgid "" "<emphasis>Note:</emphasis> If any of the search bases specifies a search " "filter, then the dereference lookup performance enhancement will be disabled " "regardless of this setting." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:772 msgid "ldap_ignore_unreadable_references (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:775 msgid "" "Ignore unreadable LDAP entries referenced in group's member attribute. If " "this parameter is set to false an error will be returned and the operation " "will fail instead of just ignoring the unreadable entry." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:782 msgid "" "This parameter may be useful when using the AD provider and the computer " "account that sssd uses to connect to AD does not have access to a particular " "entry or LDAP sub-tree for security reasons." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:795 msgid "ldap_tls_reqcert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:798 msgid "" "Specifies what checks to perform on server certificates in a TLS session, if " "any. It can be specified as one of the following values:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:804 msgid "" "<emphasis>never</emphasis> = The client will not request or check any server " "certificate." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:808 msgid "" "<emphasis>allow</emphasis> = The server certificate is requested. If no " "certificate is provided, the session proceeds normally. If a bad certificate " "is provided, it will be ignored and the session proceeds normally." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:815 msgid "" "<emphasis>try</emphasis> = The server certificate is requested. If no " "certificate is provided, the session proceeds normally. If a bad certificate " "is provided, the session is immediately terminated." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:821 msgid "" "<emphasis>demand</emphasis> = The server certificate is requested. If no " "certificate is provided, or a bad certificate is provided, the session is " "immediately terminated." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:827 msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:831 msgid "Default: hard" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:837 msgid "ldap_tls_cacert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:840 msgid "" "Specifies the file that contains certificates for all of the Certificate " "Authorities that <command>sssd</command> will recognize." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:845 sssd-ldap.5.xml:863 sssd-ldap.5.xml:904 msgid "" "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." "conf</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:852 msgid "ldap_tls_cacertdir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:855 msgid "" "Specifies the path of a directory that contains Certificate Authority " "certificates in separate individual files. Typically the file names need to " "be the hash of the certificate followed by '.0'. If available, " "<command>cacertdir_rehash</command> can be used to create the correct names." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:870 msgid "ldap_tls_cert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:873 msgid "Specifies the file that contains the certificate for the client's key." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:883 msgid "ldap_tls_key (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:886 msgid "Specifies the file that contains the client's key." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:895 msgid "ldap_tls_cipher_suite (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:898 msgid "" "Specifies acceptable cipher suites. Typically this is a colon separated " "list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " "<manvolnum>5</manvolnum></citerefentry> for format." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:911 msgid "ldap_id_use_start_tls (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:914 msgid "" "Specifies that the id_provider connection must also use <systemitem " "class=\"protocol\">tls</systemitem> to protect the channel. <emphasis>true</" "emphasis> is strongly recommended for security reasons." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:925 msgid "ldap_id_mapping (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:928 msgid "" "Specifies that SSSD should attempt to map user and group IDs from the " "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " "on ldap_user_uid_number and ldap_group_gid_number." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:934 msgid "Currently this feature supports only ActiveDirectory objectSID mapping." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:944 msgid "ldap_min_id, ldap_max_id (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:947 msgid "" "In contrast to the SID based ID mapping which is used if ldap_id_mapping is " "set to true the allowed ID range for ldap_user_uid_number and " "ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " "might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " "can be set to restrict the allowed range for the IDs which are read directly " "from the server. Sub-domains can then pick other ranges to map IDs." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:959 msgid "Default: not set (both options are set to 0)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:965 msgid "ldap_sasl_mech (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:968 msgid "" "Specify the SASL mechanism to use. Currently only GSSAPI and GSS-SPNEGO are " "tested and supported." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:972 msgid "" "If the backend supports sub-domains the value of ldap_sasl_mech is " "automatically inherited to the sub-domains. If a different value is needed " "for a sub-domain it can be overwritten by setting ldap_sasl_mech for this " "sub-domain explicitly. Please see TRUSTED DOMAIN SECTION in " "<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" "manvolnum></citerefentry> for details." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:988 msgid "ldap_sasl_authid (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> #: sssd-ldap.5.xml:1000 #, no-wrap msgid "" "hostname@REALM\n" "netbiosname$@REALM\n" "host/hostname@REALM\n" "*$@REALM\n" "host/*@REALM\n" "host/*\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:991 msgid "" "Specify the SASL authorization id to use. When GSSAPI/GSS-SPNEGO are used, " "this represents the Kerberos principal used for authentication to the " "directory. This option can either contain the full principal (for example " "host/myhost@EXAMPLE.COM) or just the principal name (for example host/" "myhost). By default, the value is not set and the following principals are " "used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are " "found, the first principal in keytab is returned." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1011 msgid "Default: host/hostname@REALM" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1017 msgid "ldap_sasl_realm (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1020 msgid "" "Specify the SASL realm to use. When not specified, this option defaults to " "the value of krb5_realm. If the ldap_sasl_authid contains the realm as " "well, this option is ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1026 msgid "Default: the value of krb5_realm." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1032 msgid "ldap_sasl_canonicalize (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1035 msgid "" "If set to true, the LDAP library would perform a reverse lookup to " "canonicalize the host name during a SASL bind." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1040 msgid "Default: false;" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1046 msgid "ldap_krb5_keytab (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1049 msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1058 sssd-krb5.5.xml:247 msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1064 msgid "ldap_krb5_init_creds (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1067 msgid "" "Specifies that the id_provider should init Kerberos credentials (TGT). This " "action is performed only if SASL is used and the mechanism selected is " "GSSAPI or GSS-SPNEGO." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1079 msgid "ldap_krb5_ticket_lifetime (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1082 msgid "" "Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1091 sssd-ad.5.xml:1252 msgid "Default: 86400 (24 hours)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1097 sssd-krb5.5.xml:74 msgid "krb5_server, krb5_backup_server (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1100 msgid "" "Specifies the comma-separated list of IP addresses or hostnames of the " "Kerberos servers to which SSSD should connect in the order of preference. " "For more information on failover and server redundancy, see the " "<quote>FAILOVER</quote> section. An optional port number (preceded by a " "colon) may be appended to the addresses or hostnames. If empty, service " "discovery is enabled - for more information, refer to the <quote>SERVICE " "DISCOVERY</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1112 sssd-krb5.5.xml:89 msgid "" "When using service discovery for KDC or kpasswd servers, SSSD first searches " "for DNS entries that specify _udp as the protocol and falls back to _tcp if " "none are found." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1117 sssd-krb5.5.xml:94 msgid "" "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " "While the legacy name is recognized for the time being, users are advised to " "migrate their config files to use <quote>krb5_server</quote> instead." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1126 sssd-ipa.5.xml:531 sssd-krb5.5.xml:103 msgid "krb5_realm (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1129 msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1133 msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" msgstr "" #. type: Content of: <variablelist><varlistentry><term> #: sssd-ldap.5.xml:1139 include/krb5_options.xml:154 msgid "krb5_canonicalize (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1142 msgid "" "Specifies if the host principal should be canonicalized when connecting to " "LDAP server. This feature is available with MIT Kerberos >= 1.7" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1154 sssd-krb5.5.xml:336 msgid "krb5_use_kdcinfo (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1157 sssd-krb5.5.xml:339 msgid "" "Specifies if the SSSD should instruct the Kerberos libraries what realm and " "which KDCs to use. This option is on by default, if you disable it, you need " "to configure the Kerberos library using the <citerefentry> " "<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" "citerefentry> configuration file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1168 sssd-krb5.5.xml:350 msgid "" "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " "information on the locator plugin." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1182 msgid "ldap_pwd_policy (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1185 msgid "" "Select the policy to evaluate the password expiration on the client side. " "The following values are allowed:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1190 msgid "" "<emphasis>none</emphasis> - No evaluation on the client side. This option " "cannot disable server-side password policies." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1195 msgid "" "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " "evaluate if the password has expired. Please see option " "\"ldap_chpass_update_last_change\" as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1203 msgid "" "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " "to determine if the password has expired. Use chpass_provider=krb5 to update " "these attributes when the password is changed." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1212 msgid "" "<emphasis>Note</emphasis>: if a password policy is configured on server " "side, it always takes precedence over policy set with this option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1220 msgid "ldap_referrals (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1223 msgid "Specifies whether automatic referral chasing should be enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1227 msgid "" "Please note that sssd only supports referral chasing when it is compiled " "with OpenLDAP version 2.4.13 or higher." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1232 msgid "" "Chasing referrals may incur a performance penalty in environments that use " "them heavily, a notable example is Microsoft Active Directory. If your setup " "does not in fact require the use of referrals, setting this option to false " "might bring a noticeable performance improvement. Setting this option to " "false is therefore recommended in case the SSSD LDAP provider is used " "together with Microsoft Active Directory as a backend. Even if SSSD would be " "able to follow the referral to a different AD DC no additional data would be " "available." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1251 msgid "ldap_dns_service_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1254 msgid "Specifies the service name to use when service discovery is enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1258 msgid "Default: ldap" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1264 msgid "ldap_chpass_dns_service_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1267 msgid "" "Specifies the service name to use to find an LDAP server which allows " "password changes when service discovery is enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1272 msgid "Default: not set, i.e. service discovery is disabled" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1278 msgid "ldap_chpass_update_last_change (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1281 msgid "" "Specifies whether to update the ldap_user_shadow_last_change attribute with " "days since the Epoch after a password change operation." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1287 msgid "" "It is recommend to set this option explicitly if \"ldap_pwd_policy = " "shadow\" is used to let SSSD know if the LDAP server will update " "shadowLastChange LDAP attribute automatically after a password change or if " "SSSD has to update it." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1301 msgid "ldap_access_filter (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1304 msgid "" "If using access_provider = ldap and ldap_access_order = filter (default), " "this option is mandatory. It specifies an LDAP search filter criteria that " "must be met for the user to be granted access on this host. If " "access_provider = ldap, ldap_access_order = filter and this option is not " "set, it will result in all users being denied access. Use access_provider = " "permit to change this default behavior. Please note that this filter is " "applied on the LDAP user entry only and thus filtering based on nested " "groups may not work (e.g. memberOf attribute on AD entries points only to " "direct parents). If filtering based on nested groups is required, please see " "<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" "manvolnum> </citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1324 msgid "Example:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> #: sssd-ldap.5.xml:1327 #, no-wrap msgid "" "access_provider = ldap\n" "ldap_access_filter = (employeeType=admin)\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1331 msgid "" "This example means that access to this host is restricted to users whose " "employeeType attribute is set to \"admin\"." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1336 msgid "" "Offline caching for this feature is limited to determining whether the " "user's last online login was granted access permission. If they were granted " "access during their last login, they will continue to be granted access " "while offline and vice versa." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1344 sssd-ldap.5.xml:1400 msgid "Default: Empty" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1350 msgid "ldap_account_expire_policy (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1353 msgid "" "With this option a client side evaluation of access control attributes can " "be enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1357 msgid "" "Please note that it is always recommended to use server side access control, " "i.e. the LDAP server should deny the bind request with a suitable error code " "even if the password is correct." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1364 msgid "The following values are allowed:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1367 msgid "" "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " "determine if the account is expired." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1372 msgid "" "<emphasis>ad</emphasis>: use the value of the 32bit field " "ldap_user_ad_user_account_control and allow access if the second bit is not " "set. If the attribute is missing access is granted. Also the expiration time " "of the account is checked." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1379 msgid "" "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" "emphasis>: use the value of ldap_ns_account_lock to check if access is " "allowed or not." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1385 msgid "" "<emphasis>nds</emphasis>: the values of " "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " "ldap_user_nds_login_expiration_time are used to check if access is allowed. " "If both attributes are missing access is granted." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1393 msgid "" "Please note that the ldap_access_order configuration option <emphasis>must</" "emphasis> include <quote>expire</quote> in order for the " "ldap_account_expire_policy option to work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1406 msgid "ldap_access_order (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1409 sssd-ipa.5.xml:356 msgid "Comma separated list of access control options. Allowed values are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1413 msgid "<emphasis>filter</emphasis>: use ldap_access_filter" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1416 msgid "" "<emphasis>lockout</emphasis>: use account locking. If set, this option " "denies access in case that ldap attribute 'pwdAccountLockedTime' is present " "and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " "Please note that 'access_provider = ldap' must be set for this feature to " "work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1426 msgid "" "<emphasis> Please note that this option is superseded by the <quote>ppolicy</" "quote> option and might be removed in a future release. </emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1433 msgid "" "<emphasis>ppolicy</emphasis>: use account locking. If set, this option " "denies access in case that ldap attribute 'pwdAccountLockedTime' is present " "and has value of '000001010000Z' or represents any time in the past. The " "value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " "denotes the UTC time zone. Other time zones are not currently supported and " "will result in \"access-denied\" when users attempt to log in. Please see " "the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " "must be set for this feature to work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1450 msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1454 sssd-ipa.5.xml:364 msgid "" "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " "pwd_expire_policy_renew: </emphasis> These options are useful if users are " "interested in being warned that password is about to expire and " "authentication is based on using a different method than passwords - for " "example SSH keys." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1464 sssd-ipa.5.xml:374 msgid "" "The difference between these options is the action taken if user password is " "expired:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ldap.5.xml:1469 sssd-ipa.5.xml:379 msgid "pwd_expire_policy_reject - user is denied to log in," msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ldap.5.xml:1475 sssd-ipa.5.xml:385 msgid "pwd_expire_policy_warn - user is still able to log in," msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ldap.5.xml:1481 sssd-ipa.5.xml:391 msgid "" "pwd_expire_policy_renew - user is prompted to change their password " "immediately." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1489 msgid "" "Please note that 'access_provider = ldap' must be set for this feature to " "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1494 msgid "" "<emphasis>authorized_service</emphasis>: use the authorizedService attribute " "to determine access" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1499 msgid "<emphasis>host</emphasis>: use the host attribute to determine access" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1503 msgid "" "<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " "remote host can access" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1507 msgid "" "Please note, rhost field in pam is set by application, it is better to check " "what the application sends to pam, before enabling this access control option" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1512 msgid "Default: filter" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1515 msgid "" "Please note that it is a configuration error if a value is used more than " "once." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1522 msgid "ldap_pwdlockout_dn (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1525 msgid "" "This option specifies the DN of password policy entry on LDAP server. Please " "note that absence of this option in sssd.conf in case of enabled account " "lockout checking will yield access denied as ppolicy attributes on LDAP " "server cannot be checked properly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1533 msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1536 msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1542 msgid "ldap_deref (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1545 msgid "" "Specifies how alias dereferencing is done when performing a search. The " "following options are allowed:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1550 msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1554 msgid "" "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " "the base object, but not in locating the base object of the search." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1559 msgid "" "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " "the base object of the search." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1564 msgid "" "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " "in locating the base object of the search." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1569 msgid "" "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " "client libraries)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1577 msgid "ldap_rfc2307_fallback_to_local_users (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1580 msgid "" "Allows to retain local users as members of an LDAP group for servers that " "use the RFC2307 schema." msgstr "" "Umožňuje držet místní uživatele coby členy LDAP skupiny pro servery, které " "používají schéma dle normy RFC2307." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1584 msgid "" "In some environments where the RFC2307 schema is used, local users are made " "members of LDAP groups by adding their names to the memberUid attribute. " "The self-consistency of the domain is compromised when this is done, so SSSD " "would normally remove the \"missing\" users from the cached group " "memberships as soon as nsswitch tries to fetch information about the user " "via getpw*() or initgroups() calls." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1595 msgid "" "This option falls back to checking if local users are referenced, and caches " "them so that later initgroups() calls will augment the local users with the " "additional LDAP groups." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1607 sssd-ifp.5.xml:152 msgid "wildcard_limit (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1610 msgid "" "Specifies an upper limit on the number of entries that are downloaded during " "a wildcard lookup." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1614 msgid "At the moment, only the InfoPipe responder supports wildcard lookups." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1618 msgid "Default: 1000 (often the size of one page)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1624 #, fuzzy #| msgid "ldap_idmap_range_size (integer)" msgid "ldap_library_debug_level (integer)" msgstr "ldap_idmap_range_size (celé číslo)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1627 msgid "" "Switches on libldap debugging with the given level. The libldap debug " "messages will be written independent of the general debug_level." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1632 msgid "" "OpenLDAP uses a bitmap to enable debugging for specific components, -1 will " "enable full debug output." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1637 msgid "Default: 0 (libldap debugging disabled)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ldap.5.xml:52 msgid "" "All of the common configuration options that apply to SSSD domains also " "apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " "of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry> manual page for full details. Note that SSSD " "LDAP mapping attributes are described in the <citerefentry> " "<refentrytitle>sssd-ldap-attributes</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry> manual page. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap.5.xml:1647 msgid "SUDO OPTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ldap.5.xml:1649 msgid "" "The detailed instructions for configuration of sudo_provider are in the " "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1660 msgid "ldap_sudo_full_refresh_interval (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1663 msgid "" "How many seconds SSSD will wait between executing a full refresh of sudo " "rules (which downloads all rules that are stored on the server)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1668 msgid "" "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" "emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1673 msgid "" "You can disable full refresh by setting this option to 0. However, either " "smart or full refresh must be enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1678 msgid "Default: 21600 (6 hours)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1684 msgid "ldap_sudo_smart_refresh_interval (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1687 msgid "" "How many seconds SSSD has to wait before executing a smart refresh of sudo " "rules (which downloads all rules that have USN higher than the highest " "server USN value that is currently known by SSSD)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1693 msgid "" "If USN attributes are not supported by the server, the modifyTimestamp " "attribute is used instead." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1697 msgid "" "<emphasis>Note:</emphasis> the highest USN value can be updated by three " "tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by " "enumeration of users and groups (if enabled and updated users or groups are " "found) and 3) by reconnecting to the server (by default every 15 minutes, " "see <emphasis>ldap_connection_expire_timeout</emphasis>)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1708 msgid "" "You can disable smart refresh by setting this option to 0. However, either " "smart or full refresh must be enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1719 #, fuzzy #| msgid "ldap_idmap_range_size (integer)" msgid "ldap_sudo_random_offset (integer)" msgstr "ldap_idmap_range_size (celé číslo)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1722 msgid "" "Random offset between 0 and configured value is added to smart and full " "refresh periods each time the periodic task is scheduled. The value is in " "seconds." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1728 msgid "" "Note that this random offset is also applied on the first SSSD start which " "delays the first sudo rules refresh. This prolongs the time when the sudo " "rules are not available for use." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1734 msgid "You can disable this offset by setting the value to 0." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1744 msgid "ldap_sudo_use_host_filter (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1747 msgid "" "If true, SSSD will download only rules that are applicable to this machine " "(using the IPv4 or IPv6 host/network addresses and hostnames)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1758 msgid "ldap_sudo_hostnames (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1761 msgid "" "Space separated list of hostnames or fully qualified domain names that " "should be used to filter the rules." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1766 msgid "" "If this option is empty, SSSD will try to discover the hostname and the " "fully qualified domain name automatically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1771 sssd-ldap.5.xml:1794 sssd-ldap.5.xml:1812 #: sssd-ldap.5.xml:1830 msgid "" "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" "emphasis> then this option has no effect." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1776 sssd-ldap.5.xml:1799 msgid "Default: not specified" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1782 msgid "ldap_sudo_ip (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1785 msgid "" "Space separated list of IPv4 or IPv6 host/network addresses that should be " "used to filter the rules." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1790 msgid "" "If this option is empty, SSSD will try to discover the addresses " "automatically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1805 msgid "ldap_sudo_include_netgroups (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1808 msgid "" "If true then SSSD will download every rule that contains a netgroup in " "sudoHost attribute." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1823 msgid "ldap_sudo_include_regexp (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1826 msgid "" "If true then SSSD will download every rule that contains a wildcard in " "sudoHost attribute." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para> #: sssd-ldap.5.xml:1836 msgid "" "Using wildcard is an operation that is very costly to evaluate on the LDAP " "server side!" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ldap.5.xml:1848 msgid "" "This manual page only describes attribute name mapping. For detailed " "explanation of sudo related attribute semantics, see <citerefentry> " "<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" "citerefentry>" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap.5.xml:1858 msgid "AUTOFS OPTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ldap.5.xml:1860 msgid "" "Some of the defaults for the parameters below are dependent on the LDAP " "schema." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1866 msgid "ldap_autofs_map_master_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1869 msgid "The name of the automount master map in LDAP." msgstr "Název v LDAP hlavní mapy pro automatické připojování." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1872 msgid "Default: auto.master" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap.5.xml:1883 msgid "ADVANCED OPTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1890 msgid "ldap_netgroup_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1895 msgid "ldap_user_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1900 msgid "ldap_group_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><note> #: sssd-ldap.5.xml:1905 msgid "<note>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> #: sssd-ldap.5.xml:1907 msgid "" "If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " "against Active Directory will not be restricted and return all groups " "memberships, even with no GID mapping. It is recommended to disable this " "feature, if group names are not being displayed correctly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist> #: sssd-ldap.5.xml:1914 msgid "</note>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1916 msgid "ldap_sudo_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1921 msgid "ldap_autofs_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ldap.5.xml:1885 msgid "" "These options are supported by LDAP domains, but they should be used with " "caution. Please include them in your configuration only if you know what you " "are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder " "type=\"variablelist\" id=\"1\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap.5.xml:1936 sssd-simple.5.xml:131 sssd-ipa.5.xml:930 #: sssd-ad.5.xml:1391 sssd-krb5.5.xml:483 sss_rpcidmapd.5.xml:98 #: sssd-files.5.xml:155 sssd-session-recording.5.xml:176 msgid "EXAMPLE" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ldap.5.xml:1938 msgid "" "The following example assumes that SSSD is correctly configured and LDAP is " "set to one of the domains in the <replaceable>[domains]</replaceable> " "section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-ldap.5.xml:1944 #, no-wrap msgid "" "[domain/LDAP]\n" "id_provider = ldap\n" "auth_provider = ldap\n" "ldap_uri = ldap://ldap.mydomain.org\n" "ldap_search_base = dc=mydomain,dc=org\n" "ldap_tls_reqcert = demand\n" "cache_credentials = true\n" msgstr "" #. type: Content of: <refsect1><refsect2><para> #: sssd-ldap.5.xml:1943 sssd-ldap.5.xml:1961 sssd-simple.5.xml:139 #: sssd-ipa.5.xml:938 sssd-ad.5.xml:1399 sssd-sudo.5.xml:56 sssd-krb5.5.xml:492 #: sssd-files.5.xml:162 sssd-files.5.xml:173 sssd-session-recording.5.xml:182 #: include/ldap_id_mapping.xml:105 msgid "<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap.5.xml:1955 msgid "LDAP ACCESS FILTER EXAMPLE" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ldap.5.xml:1957 msgid "" "The following example assumes that SSSD is correctly configured and to use " "the ldap_access_order=lockout." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-ldap.5.xml:1962 #, no-wrap msgid "" "[domain/LDAP]\n" "id_provider = ldap\n" "auth_provider = ldap\n" "access_provider = ldap\n" "ldap_access_order = lockout\n" "ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" "ldap_uri = ldap://ldap.mydomain.org\n" "ldap_search_base = dc=mydomain,dc=org\n" "ldap_tls_reqcert = demand\n" "cache_credentials = true\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap.5.xml:1977 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148 #: sssd-ad.5.xml:1414 sssd.8.xml:238 sss_seed.8.xml:163 msgid "NOTES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ldap.5.xml:1979 msgid "" "The descriptions of some of the configuration options in this manual page " "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " "distribution." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: pam_sss.8.xml:11 pam_sss.8.xml:16 msgid "pam_sss" msgstr "" #. type: Content of: <reference><refentry><refmeta><manvolnum> #: pam_sss.8.xml:12 pam_sss_gss.8.xml:12 sssd_krb5_locator_plugin.8.xml:11 #: sssd.8.xml:11 sss_obfuscate.8.xml:11 sss_override.8.xml:11 #: sss_cache.8.xml:11 sss_debuglevel.8.xml:11 sss_seed.8.xml:11 #: idmap_sss.8.xml:11 sssctl.8.xml:11 sssd-kcm.8.xml:11 #: sssd_krb5_localauth_plugin.8.xml:11 msgid "8" msgstr "8" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: pam_sss.8.xml:17 msgid "PAM module for SSSD" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> #: pam_sss.8.xml:22 msgid "" "<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" "replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" "arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" "arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" "arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " "choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " "choice='opt'> <replaceable>prompt_always</replaceable> </arg> <arg " "choice='opt'> <replaceable>try_cert_auth</replaceable> </arg> <arg " "choice='opt'> <replaceable>require_cert_auth</replaceable> </arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss.8.xml:64 msgid "" "<command>pam_sss.so</command> is the PAM interface to the System Security " "Services daemon (SSSD). Errors and results are logged through " "<command>syslog(3)</command> with the LOG_AUTHPRIV facility." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: pam_sss.8.xml:70 pam_sss_gss.8.xml:89 sssd.8.xml:42 sss_obfuscate.8.xml:58 #: sss_cache.8.xml:39 sss_seed.8.xml:42 sss_ssh_authorizedkeys.1.xml:123 #: sss_ssh_knownhostsproxy.1.xml:62 msgid "OPTIONS" msgstr "VOLBY" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:74 msgid "<option>quiet</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:77 msgid "Suppress log messages for unknown users." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:82 msgid "<option>forward_pass</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:85 msgid "" "If <option>forward_pass</option> is set the entered password is put on the " "stack for other PAM modules to use." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:92 msgid "<option>use_first_pass</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:95 msgid "" "The argument use_first_pass forces the module to use a previous stacked " "modules password and will never prompt the user - if no password is " "available or the password is not appropriate, the user will be denied access." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:103 msgid "<option>use_authtok</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:106 msgid "" "When password changing enforce the module to set the new password to the one " "provided by a previously stacked password module." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:113 msgid "<option>retry=N</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:116 msgid "" "If specified the user is asked another N times for a password if " "authentication fails. Default is 0." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:118 msgid "" "Please note that this option might not work as expected if the application " "calling PAM handles the user dialog on its own. A typical example is " "<command>sshd</command> with <option>PasswordAuthentication</option>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:127 msgid "<option>ignore_unknown_user</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:130 msgid "" "If this option is specified and the user does not exist, the PAM module will " "return PAM_IGNORE. This causes the PAM framework to ignore this module." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:137 msgid "<option>ignore_authinfo_unavail</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:141 msgid "" "Specifies that the PAM module should return PAM_IGNORE if it cannot contact " "the SSSD daemon. This causes the PAM framework to ignore this module." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:148 msgid "<option>domains</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:152 msgid "" "Allows the administrator to restrict the domains a particular PAM service is " "allowed to authenticate against. The format is a comma-separated list of " "SSSD domain names, as specified in the sssd.conf file." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:158 msgid "" "NOTE: If this is used for a service not running as root user, e.g. a web-" "server, it must be used in conjunction with the <quote>pam_trusted_users</" "quote> and <quote>pam_public_domains</quote> options. Please see the " "<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry> manual page for more information on these two PAM " "responder options." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:173 msgid "<option>allow_missing_name</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:177 msgid "" "The main purpose of this option is to let SSSD determine the user name based " "on additional information, e.g. the certificate from a Smartcard." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> #: pam_sss.8.xml:187 #, no-wrap msgid "" "auth sufficient pam_sss.so allow_missing_name\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:182 msgid "" "The current use case are login managers which can monitor a Smartcard reader " "for card events. In case a Smartcard is inserted the login manager will call " "a PAM stack which includes a line like <placeholder type=\"programlisting\" " "id=\"0\"/> In this case SSSD will try to determine the user name based on " "the content of the Smartcard, returns it to pam_sss which will finally put " "it on the PAM stack." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:197 msgid "<option>prompt_always</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:201 msgid "" "Always prompt the user for credentials. With this option credentials " "requested by other PAM modules, typically a password, will be ignored and " "pam_sss will prompt for credentials again. Based on the pre-auth reply by " "SSSD pam_sss might prompt for a password, a Smartcard PIN or other " "credentials." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:212 msgid "<option>try_cert_auth</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:216 msgid "" "Try to use certificate based authentication, i.e. authentication with a " "Smartcard or similar devices. If a Smartcard is available and the service is " "allowed for Smartcard authentication the user will be prompted for a PIN and " "the certificate based authentication will continue" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:224 msgid "" "If no Smartcard is available or certificate based authentication is not " "allowed for the current service PAM_AUTHINFO_UNAVAIL is returned." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:232 msgid "<option>require_cert_auth</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:236 msgid "" "Do certificate based authentication, i.e. authentication with a Smartcard " "or similar devices. If a Smartcard is not available the user will be " "prompted to insert one. SSSD will wait for a Smartcard until the timeout " "defined by p11_wait_for_card_timeout passed, please see " "<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" "manvolnum></citerefentry> for details." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:246 msgid "" "If no Smartcard is available after the timeout or certificate based " "authentication is not allowed for the current service PAM_AUTHINFO_UNAVAIL " "is returned." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: pam_sss.8.xml:256 pam_sss_gss.8.xml:103 msgid "MODULE TYPES PROVIDED" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss.8.xml:257 msgid "" "All module types (<option>account</option>, <option>auth</option>, " "<option>password</option> and <option>session</option>) are provided." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss.8.xml:260 msgid "" "If SSSD's PAM responder is not running, e.g. if the PAM responder socket is " "not available, pam_sss will return PAM_USER_UNKNOWN when called as " "<option>account</option> module to avoid issues with users from other " "sources during access control." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: pam_sss.8.xml:267 pam_sss_gss.8.xml:108 msgid "RETURN VALUES" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:270 pam_sss_gss.8.xml:111 msgid "PAM_SUCCESS" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:273 pam_sss_gss.8.xml:114 msgid "The PAM operation finished successfully." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:278 pam_sss_gss.8.xml:119 msgid "PAM_USER_UNKNOWN" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:281 msgid "" "The user is not known to the authentication service or the SSSD's PAM " "responder is not running." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:287 pam_sss_gss.8.xml:128 msgid "PAM_AUTH_ERR" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:290 msgid "" "Authentication failure. Also, could be returned when there is a problem with " "getting the certificate." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:296 msgid "PAM_PERM_DENIED" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:299 msgid "" "Permission denied. The SSSD log files may contain additional information " "about the error." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:305 msgid "PAM_IGNORE" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:308 msgid "" "See options <option>ignore_unknown_user</option> and " "<option>ignore_authinfo_unavail</option>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:314 msgid "PAM_AUTHTOK_ERR" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:317 msgid "" "Unable to obtain the new authentication token. Also, could be returned when " "the user authenticates with certificates and multiple certificates are " "available, but the installed version of GDM does not support selection from " "multiple certificates." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:325 pam_sss_gss.8.xml:136 msgid "PAM_AUTHINFO_UNAVAIL" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:328 pam_sss_gss.8.xml:139 msgid "" "Unable to access the authentication information. This might be due to a " "network or hardware failure." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:334 msgid "PAM_BUF_ERR" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:337 msgid "" "A memory error occurred. Also, could be returned when options use_first_pass " "or use_authtok were set, but no password was found from the previously " "stacked PAM module." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:344 pam_sss_gss.8.xml:145 msgid "PAM_SYSTEM_ERR" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:347 pam_sss_gss.8.xml:148 msgid "" "A system error occurred. The SSSD log files may contain additional " "information about the error." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:353 msgid "PAM_CRED_ERR" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:356 msgid "Unable to set the credentials of the user." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:361 msgid "PAM_CRED_INSUFFICIENT" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:364 msgid "" "The application does not have sufficient credentials to authenticate the " "user. For example, missing PIN during smartcard authentication or missing " "factor during two-factor authentication." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:372 msgid "PAM_SERVICE_ERR" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:375 msgid "Error in service module." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:380 msgid "PAM_NEW_AUTHTOK_REQD" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:383 msgid "The user's authentication token has expired." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:388 msgid "PAM_ACCT_EXPIRED" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:391 msgid "The user account has expired." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:396 msgid "PAM_SESSION_ERR" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:399 msgid "Unable to fetch IPA Desktop Profile rules or user info." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:404 msgid "PAM_CRED_UNAVAIL" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:407 msgid "Unable to retrieve Kerberos user credentials." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:412 msgid "PAM_NO_MODULE_DATA" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:415 msgid "" "No authentication method was found by Kerberos. This might happen if the " "user has a Smartcard assigned but the pkint plugin is not available on the " "client." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:422 msgid "PAM_CONV_ERR" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:425 msgid "Conversation failure." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:430 msgid "PAM_AUTHTOK_LOCK_BUSY" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:433 msgid "No KDC suitable for password change is available." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:438 msgid "PAM_ABORT" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:441 msgid "Unknown PAM call." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:446 msgid "PAM_MODULE_UNKNOWN" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:449 msgid "Unsupported PAM task or command." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:454 msgid "PAM_BAD_ITEM" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:457 msgid "The authentication module cannot handle Smartcard credentials." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: pam_sss.8.xml:465 msgid "FILES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss.8.xml:466 msgid "" "If a password reset by root fails, because the corresponding SSSD provider " "does not support password resets, an individual message can be displayed. " "This message can e.g. contain instructions about how to reset a password." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss.8.xml:471 msgid "" "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" "filename> where LOC stands for a locale string returned by <citerefentry> " "<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" "citerefentry>. If there is no matching file the content of " "<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " "the owner of the files and only root may have read and write permissions " "while all other users must have only read permissions." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss.8.xml:481 msgid "" "These files are searched in the directory <filename>/etc/sssd/customize/" "DOMAIN_NAME/</filename>. If no matching file is present a generic message is " "displayed." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: pam_sss_gss.8.xml:11 pam_sss_gss.8.xml:16 msgid "pam_sss_gss" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: pam_sss_gss.8.xml:17 msgid "PAM module for SSSD GSSAPI authentication" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> #: pam_sss_gss.8.xml:22 #, fuzzy #| msgid "" #| "<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" #| "replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" #| "arg>" msgid "" "<command>pam_sss_gss.so</command> <arg choice='opt'> <replaceable>debug</" "replaceable> </arg>" msgstr "" "<command>sss_groupdel</command> <arg choice='opt'> <replaceable>volby</" "replaceable> </arg> <arg choice='plain'><replaceable>SKUPINA</replaceable></" "arg>" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss_gss.8.xml:32 msgid "" "<command>pam_sss_gss.so</command> authenticates user over GSSAPI in " "cooperation with SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss_gss.8.xml:36 msgid "" "This module will try to authenticate the user using the GSSAPI hostbased " "service name host@hostname which translates to host/hostname@REALM Kerberos " "principal. The <emphasis>REALM</emphasis> part of the Kerberos principal " "name is derived by Kerberos internal mechanisms and it can be set explicitly " "in configuration of [domain_realm] section in /etc/krb5.conf." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss_gss.8.xml:44 msgid "" "SSSD is used to provide desired service name and to validate the user's " "credentials using GSSAPI calls. If the service ticket is already present in " "the Kerberos credentials cache or if user's ticket granting ticket can be " "used to get the correct service ticket then the user will be authenticated." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss_gss.8.xml:51 msgid "" "If <option>pam_gssapi_check_upn</option> is True (default) then SSSD " "requires that the credentials used to obtain the service tickets can be " "associated with the user. This means that the principal that owns the " "Kerberos credentials must match with the user principal name as defined in " "LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss_gss.8.xml:58 msgid "" "To enable GSSAPI authentication in SSSD, set <option>pam_gssapi_services</" "option> option in [pam] or domain section of sssd.conf. The service " "credentials need to be stored in SSSD's keytab (it is already present if you " "use ipa or ad provider). The keytab location can be set with " "<option>krb5_keytab</option> option. See <citerefentry> <refentrytitle>sssd." "conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> and " "<citerefentry> <refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry> for more details on these options." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss_gss.8.xml:74 msgid "" "Some Kerberos deployments allow to associate authentication indicators with " "a particular pre-authentication method used to obtain the ticket granting " "ticket by the user. <command>pam_sss_gss.so</command> allows to enforce " "presence of authentication indicators in the service tickets before a " "particular PAM service can be accessed." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss_gss.8.xml:82 msgid "" "If <option>pam_gssapi_indicators_map</option> is set in the [pam] or domain " "section of sssd.conf, then SSSD will perform a check of the presence of any " "configured indicators in the service ticket." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss_gss.8.xml:93 msgid "<option>debug</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss_gss.8.xml:96 msgid "Print debugging information." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss_gss.8.xml:104 msgid "Only the <option>auth</option> module type is provided." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss_gss.8.xml:122 msgid "" "The user is not known to the authentication service or the GSSAPI " "authentication is not supported." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss_gss.8.xml:131 msgid "Authentication failure." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss_gss.8.xml:159 msgid "" "The main use case is to provide password-less authentication in sudo but " "without the need to disable authentication completely. To achieve this, " "first enable GSSAPI authentication for sudo in sssd.conf:" msgstr "" #. type: Content of: <reference><refentry><refsect1><programlisting> #: pam_sss_gss.8.xml:165 #, no-wrap msgid "" "[domain/MYDOMAIN]\n" "pam_gssapi_services = sudo, sudo-i\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss_gss.8.xml:169 msgid "" "And then enable the module in desired PAM stack (e.g. /etc/pam.d/sudo and /" "etc/pam.d/sudo-i)." msgstr "" #. type: Content of: <reference><refentry><refsect1><programlisting> #: pam_sss_gss.8.xml:173 #, no-wrap msgid "" "...\n" "auth sufficient pam_sss_gss.so\n" "...\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: pam_sss_gss.8.xml:180 msgid "TROUBLESHOOTING" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss_gss.8.xml:182 msgid "" "SSSD logs, pam_sss_gss debug output and syslog may contain helpful " "information about the error. Here are some common issues:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss_gss.8.xml:186 msgid "" "1. I have KRB5CCNAME environment variable set and the authentication does " "not work: Depending on your sudo version, it is possible that sudo does not " "pass this variable to the PAM environment. Try adding KRB5CCNAME to " "<option>env_keep</option> in /etc/sudoers or in your LDAP sudo rules default " "options." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss_gss.8.xml:193 msgid "" "2. Authentication does not work and syslog contains \"Server not found in " "Kerberos database\": Kerberos is probably not able to resolve correct realm " "for the service ticket based on the hostname. Try adding the hostname " "directly to <option>[domain_realm]</option> in /etc/krb5.conf like so:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss_gss.8.xml:200 msgid "" "3. Authentication does not work and syslog contains \"No Kerberos " "credentials available\": You don't have any credentials that can be used to " "obtain the required service ticket. Use kinit or authenticate over SSSD to " "acquire those credentials." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss_gss.8.xml:206 msgid "" "4. Authentication does not work and SSSD sssd-pam log contains \"User with " "UPN [$UPN] was not found.\" or \"UPN [$UPN] does not match target user " "[$username].\": You are using credentials that can not be mapped to the user " "that is being authenticated. Try to use kswitch to select different " "principal, make sure you authenticated with SSSD or consider disabling " "<option>pam_gssapi_check_upn</option>." msgstr "" #. type: Content of: <reference><refentry><refsect1><programlisting> #: pam_sss_gss.8.xml:214 #, no-wrap msgid "" "[domain_realm]\n" ".myhostname = MYREALM\n" " " msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 msgid "sssd_krb5_locator_plugin" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sssd_krb5_locator_plugin.8.xml:16 msgid "Kerberos locator plugin" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd_krb5_locator_plugin.8.xml:22 msgid "" "The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " "used by libkrb5 to find KDCs for a given Kerberos realm. SSSD provides such " "a plugin to guide all Kerberos clients on a system to a single KDC. In " "general it should not matter to which KDC a client process is talking to. " "But there are cases, e.g. after a password change, where not all KDCs are in " "the same state because the new data has to be replicated first. To avoid " "unexpected authentication failures and maybe even account lockings it would " "be good to talk to a single KDC as long as possible." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd_krb5_locator_plugin.8.xml:34 msgid "" "libkrb5 will search the locator plugin in the libkrb5 sub-directory of the " "Kerberos plugin directory, see plugin_base_dir in <citerefentry> " "<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" "citerefentry> for details. The plugin can only be disabled by removing the " "plugin file. There is no option in the Kerberos configuration to disable it. " "But the SSSD_KRB5_LOCATOR_DISABLE environment variable can be used to " "disable the plugin for individual commands. Alternatively the SSSD option " "krb5_use_kdcinfo=False can be used to not generate the data needed by the " "plugin. With this the plugin is still called but will provide no data to the " "caller so that libkrb5 can fall back to other methods defined in krb5.conf." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd_krb5_locator_plugin.8.xml:50 msgid "" "The plugin reads the information about the KDCs of a given realm from a file " "called <filename>kdcinfo.REALM</filename>. The file should contain one or " "more DNS names or IP addresses either in dotted-decimal IPv4 notation or the " "hexadecimal IPv6 notation. An optional port number can be added to the end " "separated with a colon, the IPv6 address has to be enclosed in squared " "brackets in this case as usual. Valid entries are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd_krb5_locator_plugin.8.xml:58 msgid "kdc.example.com" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd_krb5_locator_plugin.8.xml:59 msgid "kdc.example.com:321" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd_krb5_locator_plugin.8.xml:60 msgid "1.2.3.4" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd_krb5_locator_plugin.8.xml:61 msgid "5.6.7.8:99" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd_krb5_locator_plugin.8.xml:62 msgid "2001:db8:85a3::8a2e:370:7334" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd_krb5_locator_plugin.8.xml:63 msgid "[2001:db8:85a3::8a2e:370:7334]:321" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd_krb5_locator_plugin.8.xml:65 msgid "" "SSSD's krb5 auth-provider which is used by the IPA and AD providers as well " "adds the address of the current KDC or domain controller SSSD is using to " "this file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd_krb5_locator_plugin.8.xml:70 msgid "" "In environments with read-only and read-write KDCs where clients are " "expected to use the read-only instances for the general operations and only " "the read-write KDC for config changes like password changes a " "<filename>kpasswdinfo.REALM</filename> is used as well to identify read-" "write KDCs. If this file exists for the given realm the content will be used " "by the plugin to reply to requests for a kpasswd or kadmin server or for the " "MIT Kerberos specific master KDC. If the address contains a port number the " "default KDC port 88 will be used for the latter." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd_krb5_locator_plugin.8.xml:85 msgid "" "Not all Kerberos implementations support the use of plugins. If " "<command>sssd_krb5_locator_plugin</command> is not available on your system " "you have to edit /etc/krb5.conf to reflect your Kerberos setup." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd_krb5_locator_plugin.8.xml:91 msgid "" "If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " "debug messages will be sent to stderr." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd_krb5_locator_plugin.8.xml:95 msgid "" "If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " "the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " "caller." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd_krb5_locator_plugin.8.xml:100 msgid "" "If the environment variable SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES is set to " "any value plugin will try to resolve all DNS names in kdcinfo file. By " "default plugin returns KRB5_PLUGIN_NO_HANDLE to the caller immediately on " "first DNS resolving failure." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssd-simple.5.xml:10 sssd-simple.5.xml:16 msgid "sssd-simple" msgstr "sssd-simple" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sssd-simple.5.xml:17 msgid "the configuration file for SSSD's 'simple' access-control provider" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-simple.5.xml:24 msgid "" "This manual page describes the configuration of the simple access-control " "provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " "<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " "refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" "citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-simple.5.xml:38 msgid "" "The simple access provider grants or denies access based on an access or " "deny list of user or group names. The following rules apply:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd-simple.5.xml:43 msgid "If all lists are empty, access is granted" msgstr "Pokud jsou všechny seznamy prázdné, přístup je udělen" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd-simple.5.xml:47 msgid "" "If any list is provided, the order of evaluation is allow,deny. This means " "that any matching deny rule will supersede any matched allow rule." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd-simple.5.xml:54 msgid "" "If either or both \"allow\" lists are provided, all users are denied unless " "they appear in the list." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd-simple.5.xml:60 msgid "" "If only \"deny\" lists are provided, all users are granted access unless " "they appear in the list." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-simple.5.xml:78 msgid "simple_allow_users (string)" msgstr "simple_allow_users (řetězec)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-simple.5.xml:81 msgid "Comma separated list of users who are allowed to log in." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-simple.5.xml:88 msgid "simple_deny_users (string)" msgstr "simple_deny_users (řetězec)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-simple.5.xml:91 msgid "Comma separated list of users who are explicitly denied access." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-simple.5.xml:97 msgid "simple_allow_groups (string)" msgstr "simple_allow_groups (řetězec)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-simple.5.xml:100 msgid "" "Comma separated list of groups that are allowed to log in. This applies only " "to groups within this SSSD domain. Local groups are not evaluated." msgstr "" "Čárkou oddělovaný seznam skupin, kterým je dovoleno se přihlásit. Toto se " "uplatní pouze na skupiny v rámci SSSD domény. Místní skupiny nejsou takto " "vyhodnocovány." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-simple.5.xml:108 msgid "simple_deny_groups (string)" msgstr "simple_deny_groups (řetězec)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-simple.5.xml:111 msgid "" "Comma separated list of groups that are explicitly denied access. This " "applies only to groups within this SSSD domain. Local groups are not " "evaluated." msgstr "" "Čárkou oddělovaný seznam skupin, kterým je výslovně odepřen přístup. Toto se " "uplatní pouze na skupiny v rámci SSSD domény. Místní skupiny nejsou takto " "vyhodnocovány." #. type: Content of: <reference><refentry><refsect1><para> #: sssd-simple.5.xml:70 sssd-ipa.5.xml:83 sssd-ad.5.xml:131 msgid "" "Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" "citerefentry> manual page for details on the configuration of an SSSD " "domain. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-simple.5.xml:120 msgid "" "Specifying no values for any of the lists is equivalent to skipping it " "entirely. Beware of this while generating parameters for the simple provider " "using automated scripts." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-simple.5.xml:125 msgid "" "Please note that it is an configuration error if both, simple_allow_users " "and simple_deny_users, are defined." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-simple.5.xml:133 msgid "" "The following example assumes that SSSD is correctly configured and example." "com is one of the domains in the <replaceable>[sssd]</replaceable> section. " "This examples shows only the simple access provider-specific options." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-simple.5.xml:140 #, no-wrap msgid "" "[domain/example.com]\n" "access_provider = simple\n" "simple_allow_users = user1, user2\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-simple.5.xml:150 msgid "" "The complete group membership hierarchy is resolved before the access check, " "thus even nested groups can be included in the access lists. Please be " "aware that the <quote>ldap_group_nesting_level</quote> option may impact the " "results and should be set to a sufficient value. (<citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" "citerefentry>) option." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sss-certmap.5.xml:10 sss-certmap.5.xml:16 msgid "sss-certmap" msgstr "sss-certmap" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sss-certmap.5.xml:17 msgid "SSSD Certificate Matching and Mapping Rules" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss-certmap.5.xml:23 msgid "" "The manual page describes the rules which can be used by SSSD and other " "components to match X.509 certificates and map them to accounts." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss-certmap.5.xml:28 msgid "" "Each rule has four components, a <quote>priority</quote>, a <quote>matching " "rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" "quote>. All components are optional. A missing <quote>priority</quote> will " "add the rule with the lowest priority. The default <quote>matching rule</" "quote> will match certificates with the digitalSignature key usage and " "clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " "the certificates will be searched in the userCertificate attribute as DER " "encoded binary. If no domains are given only the local domain will be " "searched." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss-certmap.5.xml:39 msgid "" "To allow extensions or completely different style of rule the " "<quote>mapping</quote> and <quote>matching rules</quote> can contain a " "prefix separated with a ':' from the main part of the rule. The prefix may " "only contain upper-case ASCII letters and numbers. If the prefix is omitted " "the default type will be used which is 'KRB5' for the matching rules and " "'LDAP' for the mapping rules." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss-certmap.5.xml:48 msgid "" "The 'sssctl' utility provides the 'cert-eval-rule' command to check if a " "given certificate matches a matching rules and how the output of a mapping " "rule would look like." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sss-certmap.5.xml:55 msgid "RULE COMPONENTS" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sss-certmap.5.xml:57 msgid "PRIORITY" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss-certmap.5.xml:59 msgid "" "The rules are processed by priority while the number '0' (zero) indicates " "the highest priority. The higher the number the lower is the priority. A " "missing value indicates the lowest priority. The rules processing is stopped " "when a matched rule is found and no further rules are checked." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss-certmap.5.xml:66 msgid "" "Internally the priority is treated as unsigned 32bit integer, using a " "priority value larger than 4294967295 will cause an error." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss-certmap.5.xml:70 msgid "" "If multiple rules have the same priority and only one of the related " "matching rules applies, this rule will be chosen. If there are multiple " "rules with the same priority which matches, one is chosen but which one is " "undefined. To avoid this undefined behavior either use different priorities " "or make the matching rules more specific e.g. by using distinct <" "ISSUER> patterns." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sss-certmap.5.xml:79 msgid "MATCHING RULE" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss-certmap.5.xml:81 msgid "" "The matching rule is used to select a certificate to which the mapping rule " "should be applied. It uses a system similar to the one used by " "<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " "keyword enclosed by '<' and '>' which identified a certain part of the " "certificate and a pattern which should be found for the rule to match. " "Multiple keyword pattern pairs can be either joined with '&&' (and) " "or '||' (or)." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss-certmap.5.xml:90 msgid "" "Given the similarity to MIT Kerberos the type prefix for this rule is " "'KRB5'. But 'KRB5' will also be the default for <quote>matching rules</" "quote> so that \"<SUBJECT>.*,DC=MY,DC=DOMAIN\" and \"KRB5:<" "SUBJECT>.*,DC=MY,DC=DOMAIN\" are equivalent." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:99 msgid "<SUBJECT>regular-expression" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:102 msgid "" "With this a part or the whole subject name of the certificate can be " "matched. For the matching POSIX Extended Regular Expression syntax is used, " "see regex(7) for details." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:108 msgid "" "For the matching the subject name stored in the certificate in DER encoded " "ASN.1 is converted into a string according to RFC 4514. This means the most " "specific name component comes first. Please note that not all possible " "attribute names are covered by RFC 4514. The names included are 'CN', 'L', " "'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " "be shown differently on different platform and by different tools. To avoid " "confusion those attribute names are best not used or covered by a suitable " "regular-expression." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:121 msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" msgstr "Příklad: <SUBJECT>.*,DC=MOJE,DC=DOMENA" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:124 msgid "" "Please note that the characters \"^.[$()|*+?{\\\" have a special meaning in " "regular expressions and must be escaped with the help of the '\\' character " "so that they are matched as ordinary characters." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:130 msgid "Example: <SUBJECT>^CN=.* \$Admin\$,DC=MY,DC=DOMAIN$" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:135 msgid "<ISSUER>regular-expression" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:138 msgid "" "With this a part or the whole issuer name of the certificate can be matched. " "All comments for <SUBJECT> apply her as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:143 msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:148 msgid "<KU>key-usage" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:151 msgid "" "This option can be used to specify which key usage values the certificate " "should have. The following values can be used in a comma separated list:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:155 msgid "digitalSignature" msgstr "digitalSignature" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:156 msgid "nonRepudiation" msgstr "nonRepudiation" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:157 msgid "keyEncipherment" msgstr "keyEncipherment" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:158 msgid "dataEncipherment" msgstr "dataEncipherment" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:159 msgid "keyAgreement" msgstr "keyAgreement" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:160 msgid "keyCertSign" msgstr "keyCertSign" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:161 msgid "cRLSign" msgstr "cRLSign" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:162 msgid "encipherOnly" msgstr "encipherOnly" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:163 msgid "decipherOnly" msgstr "decipherOnly" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:167 msgid "" "A numerical value in the range of a 32bit unsigned integer can be used as " "well to cover special use cases." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:171 msgid "Example: <KU>digitalSignature,keyEncipherment" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:176 msgid "<EKU>extended-key-usage" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:179 msgid "" "This option can be used to specify which extended key usage the certificate " "should have. The following value can be used in a comma separated list:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:183 msgid "serverAuth" msgstr "serverAuth" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:184 msgid "clientAuth" msgstr "clientAuth" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:185 msgid "codeSigning" msgstr "codeSigning" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:186 msgid "emailProtection" msgstr "emailProtection" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:187 msgid "timeStamping" msgstr "timeStamping" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:188 msgid "OCSPSigning" msgstr "OCSPSigning" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:189 msgid "KPClientAuth" msgstr "KPClientAuth" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:190 msgid "pkinit" msgstr "pkinit" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:191 msgid "msScLogin" msgstr "msScLogin" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:195 msgid "" "Extended key usages which are not listed above can be specified with their " "OID in dotted-decimal notation." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:199 msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:204 msgid "<SAN>regular-expression" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:207 msgid "" "To be compatible with the usage of MIT Kerberos this option will match the " "Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" "Principal> does." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:212 msgid "Example: <SAN>.*@MY\\.REALM" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:217 msgid "<SAN:Principal>regular-expression" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:220 msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:224 msgid "Example: <SAN:Principal>.*@MY\\.REALM" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:229 msgid "<SAN:ntPrincipalName>regular-expression" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:232 msgid "Match the Kerberos principals from the AD NT Principal SAN." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:236 msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:241 msgid "<SAN:pkinit>regular-expression" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:244 msgid "Match the Kerberos principals from the PKINIT SAN." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:247 msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:252 msgid "<SAN:dotted-decimal-oid>regular-expression" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:255 msgid "" "Take the value of the otherName SAN component given by the OID in dotted-" "decimal notation, interpret it as string and try to match it against the " "regular expression." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:261 msgid "Example: <SAN:1.2.3.4>test" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:266 msgid "<SAN:otherName>base64-string" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:269 msgid "" "Do a binary match with the base64 encoded blob against all otherName SAN " "components. With this option it is possible to match against custom " "otherName components with special encodings which could not be treated as " "strings." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:276 msgid "Example: <SAN:otherName>MTIz" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:281 msgid "<SAN:rfc822Name>regular-expression" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:284 msgid "Match the value of the rfc822Name SAN." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:287 msgid "Example: <SAN:rfc822Name>.*@email\\.domain" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:292 msgid "<SAN:dNSName>regular-expression" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:295 msgid "Match the value of the dNSName SAN." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:298 msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:303 msgid "<SAN:x400Address>base64-string" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:306 msgid "Binary match the value of the x400Address SAN." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:309 msgid "Example: <SAN:x400Address>MTIz" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:314 msgid "<SAN:directoryName>regular-expression" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:317 msgid "" "Match the value of the directoryName SAN. The same comments as given for <" "ISSUER> and <SUBJECT> apply here as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:322 msgid "Example: <SAN:directoryName>.*,DC=com" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:327 msgid "<SAN:ediPartyName>base64-string" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:330 msgid "Binary match the value of the ediPartyName SAN." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:333 msgid "Example: <SAN:ediPartyName>MTIz" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:338 msgid "<SAN:uniformResourceIdentifier>regular-expression" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:341 msgid "Match the value of the uniformResourceIdentifier SAN." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:344 msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:349 msgid "<SAN:iPAddress>regular-expression" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:352 msgid "Match the value of the iPAddress SAN." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:355 msgid "Example: <SAN:iPAddress>192\\.168\\..*" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:360 msgid "<SAN:registeredID>regular-expression" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:363 msgid "Match the value of the registeredID SAN as dotted-decimal string." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:367 msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss-certmap.5.xml:96 msgid "" "The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sss-certmap.5.xml:375 msgid "MAPPING RULE" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss-certmap.5.xml:377 msgid "" "The mapping rule is used to associate a certificate with one or more " "accounts. A Smartcard with the certificate and the matching private key can " "then be used to authenticate as one of those accounts." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss-certmap.5.xml:382 msgid "" "Currently SSSD basically only supports LDAP to lookup user information (the " "exception is the proxy provider which is not of relevance here). Because of " "this the mapping rule is based on LDAP search filter syntax with templates " "to add certificate content to the filter. It is expected that the filter " "will only contain the specific data needed for the mapping and that the " "caller will embed it in another filter to do the actual search. Because of " "this the filter string should start and stop with '(' and ')' respectively." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss-certmap.5.xml:392 msgid "" "In general it is recommended to use attributes from the certificate and add " "them to special attributes to the LDAP user object. E.g. the " "'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " "for IPA can be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss-certmap.5.xml:398 msgid "" "This should be preferred to read user specific data from the certificate " "like e.g. an email address and search for it in the LDAP server. The reason " "is that the user specific data in LDAP might change for various reasons " "would break the mapping. On the other hand it would be hard to break the " "mapping on purpose for a specific user." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss-certmap.5.xml:406 msgid "" "The default <quote>mapping rule</quote> type is 'LDAP' which can be added as " "a prefix to a rule like e.g. 'LDAP:(userCertificate;binary={cert!bin})'. " "There is an extension called 'LDAPU1' which offer more templates for more " "flexibility. To allow older versions of this library to ignore the extension " "the prefix 'LDAPU1' must be used when using the new templates in a " "<quote>mapping rule</quote> otherwise the old version of this library will " "fail with a parsing error. The new templates are described in section <xref " "linkend=\"map_ldapu1\"/>." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:424 msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" msgstr "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:427 msgid "" "This template will add the full issuer DN converted to a string according to " "RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " "the '_x500' prefix should be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:433 sss-certmap.5.xml:459 msgid "" "The conversion options starting with 'ad_' will use attribute names as used " "by AD, e.g. 'S' instead of 'ST'." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:437 sss-certmap.5.xml:463 msgid "" "The conversion options starting with 'nss_' will use attribute names as used " "by NSS." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:441 sss-certmap.5.xml:467 msgid "" "The default conversion option is 'nss', i.e. attribute names according to " "NSS and LDAP/RFC 4514 ordering." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:445 msgid "" "Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" "ad})" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:450 msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:453 msgid "" "This template will add the full subject DN converted to string according to " "RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " "the '_x500' prefix should be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:471 msgid "" "Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" "{subject_dn!nss_x500})" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:476 msgid "{cert[!(bin|base64)]}" msgstr "{cert[!(bin|base64)]}" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:479 msgid "" "This template will add the whole DER encoded certificate as a string to the " "search filter. Depending on the conversion option the binary certificate is " "either converted to an escaped hex sequence '\\xx' or base64. The escaped " "hex sequence is the default and can e.g. be used with the LDAP attribute " "'userCertificate;binary'." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:487 msgid "Example: (userCertificate;binary={cert!bin})" msgstr "Příklad: (userCertificate;binary={cert!bin})" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:492 msgid "{subject_principal[.short_name]}" msgstr "{subject_principal[.short_name]}" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:495 msgid "" "This template will add the Kerberos principal which is taken either from the " "SAN used by pkinit or the one used by AD. The 'short_name' component " "represents the first part of the principal before the '@' sign." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:501 msgid "" "Example: (|(userPrincipal={subject_principal})" "(samAccountName={subject_principal.short_name}))" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:506 msgid "{subject_pkinit_principal[.short_name]}" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:509 msgid "" "This template will add the Kerberos principal which is given by the SAN used " "by pkinit. The 'short_name' component represents the first part of the " "principal before the '@' sign." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:515 msgid "" "Example: (|(userPrincipal={subject_pkinit_principal})" "(uid={subject_pkinit_principal.short_name}))" msgstr "" "Příklad: (|(userPrincipal={subject_pkinit_principal})" "(uid={subject_pkinit_principal.short_name}))" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:520 msgid "{subject_nt_principal[.short_name]}" msgstr "{subject_nt_principal[.short_name]}" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:523 msgid "" "This template will add the Kerberos principal which is given by the SAN used " "by AD. The 'short_name' component represent the first part of the principal " "before the '@' sign." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:529 #, fuzzy #| msgid "" #| "Example: (|(userPrincipal={subject_pkinit_principal})" #| "(uid={subject_pkinit_principal.short_name}))" msgid "" "Example: (|(userPrincipalName={subject_nt_principal})" "(samAccountName={subject_nt_principal.short_name}))" msgstr "" "Příklad: (|(userPrincipal={subject_pkinit_principal})" "(uid={subject_pkinit_principal.short_name}))" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:534 msgid "{subject_rfc822_name[.short_name]}" msgstr "{subject_rfc822_name[.short_name]}" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:537 msgid "" "This template will add the string which is stored in the rfc822Name " "component of the SAN, typically an email address. The 'short_name' component " "represents the first part of the address before the '@' sign." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:543 msgid "" "Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." "short_name}))" msgstr "" "Příklad: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." "short_name}))" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:548 msgid "{subject_dns_name[.short_name]}" msgstr "{subject_dns_name[.short_name]}" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:551 msgid "" "This template will add the string which is stored in the dNSName component " "of the SAN, typically a fully-qualified host name. The 'short_name' " "component represents the first part of the name before the first '.' sign." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:557 msgid "" "Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" msgstr "" "Příklad: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:562 msgid "{subject_uri}" msgstr "{subject_uri}" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:565 msgid "" "This template will add the string which is stored in the " "uniformResourceIdentifier component of the SAN." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:569 msgid "Example: (uri={subject_uri})" msgstr "Příklad: (uri={subject_uri})" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:574 msgid "{subject_ip_address}" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:577 msgid "" "This template will add the string which is stored in the iPAddress component " "of the SAN." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:581 msgid "Example: (ip={subject_ip_address})" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:586 msgid "{subject_x400_address}" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:589 msgid "" "This template will add the value which is stored in the x400Address " "component of the SAN as escaped hex sequence." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:594 msgid "Example: (attr:binary={subject_x400_address})" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:599 msgid "" "{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:602 msgid "" "This template will add the DN string of the value which is stored in the " "directoryName component of the SAN." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:606 msgid "Example: (orig_dn={subject_directory_name})" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:611 msgid "{subject_ediparty_name}" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:614 msgid "" "This template will add the value which is stored in the ediPartyName " "component of the SAN as escaped hex sequence." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:619 msgid "Example: (attr:binary={subject_ediparty_name})" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:624 msgid "{subject_registered_id}" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:627 msgid "" "This template will add the OID which is stored in the registeredID component " "of the SAN as a dotted-decimal string." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:632 msgid "Example: (oid={subject_registered_id})" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss-certmap.5.xml:417 msgid "" "The templates to add certificate data to the search filter are based on " "Python-style formatting strings. They consist of a keyword in curly braces " "with an optional sub-component specifier separated by a '.' or an optional " "conversion/formatting option separated by a '!'. Allowed values are: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><title> #: sss-certmap.5.xml:639 msgid "LDAPU1 extension" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para> #: sss-certmap.5.xml:641 msgid "The following template are available when using the 'LDAPU1' extension:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:647 msgid "{serial_number[!(dec|hex[_ucr])]}" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:650 msgid "" "This template will add the serial number of the certificate. By default it " "will be printed as a hexadecimal number with lower-case letters." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:655 msgid "" "With the formatting option '!dec' the number will be printed as decimal " "string. The hexadecimal output can be printed with upper-case letters ('!" "hex_u'), with a colon separating the hexadecimal bytes ('!hex_c') or with " "the hexadecimal bytes in reverse order ('!hex_r'). The postfix letters can " "be combined so that e.g. '!hex_uc' will produce a colon-separated " "hexadecimal string with upper-case letters." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:665 #, fuzzy #| msgid "Example: (uri={subject_uri})" msgid "Example: LDAPU1:(serial={serial_number})" msgstr "Příklad: (uri={subject_uri})" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:671 msgid "{subject_key_id[!hex[_ucr]]}" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:674 msgid "" "This template will add the subject key id of the certificate. By default it " "will be printed as a hexadecimal number with lower-case letters." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:679 msgid "" "The hexadecimal output can be printed with upper-case letters ('!hex_u'), " "with a colon separating the hexadecimal bytes ('!hex_c') or with the " "hexadecimal bytes in reverse order ('!hex_r'). The postfix letters can be " "combined so that e.g. '!hex_uc' will produce a colon-separated hexadecimal " "string with upper-case letters." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:688 #, fuzzy #| msgid "Example: (uri={subject_uri})" msgid "Example: LDAPU1:(ski={subject_key_id})" msgstr "Příklad: (uri={subject_uri})" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:694 msgid "{cert[!DIGEST[_ucr]]}" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:697 msgid "" "This template will add the hexadecimal digest/hash of the certificate where " "DIGEST must be replaced with the name of a digest/hash function supported by " "OpenSSL, e.g. 'sha512'." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:703 msgid "" "The hexadecimal output can be printed with upper-case letters ('!sha512_u'), " "with a colon separating the hexadecimal bytes ('!sha512_c') or with the " "hexadecimal bytes in reverse order ('!sha512_r'). The postfix letters can be " "combined so that e.g. '!sha512_uc' will produce a colon-separated " "hexadecimal string with upper-case letters." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:712 msgid "Example: LDAPU1:(dgst={cert!sha256})" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:718 #, fuzzy #| msgid "{subject_dns_name[.short_name]}" msgid "{subject_dn_component[(.attr_name|[number]]}" msgstr "{subject_dns_name[.short_name]}" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:721 msgid "" "This template will add an attribute value of a component of the subject DN, " "by default the value of the most specific component." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:726 msgid "" "A different component can it either selected by attribute name, e.g. " "{subject_dn_component.uid} or by position, e.g. {subject_dn_component.[2]} " "where positive numbers start counting from the most specific component and " "negative numbers start counting from the least specific component. Attribute " "name and the position can be combined as e.g. {subject_dn_component.uid[2]} " "which means that the name of the second component must be 'uid'." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:737 #, fuzzy #| msgid "Example: (uri={subject_uri})" msgid "Example: LDAPU1:(uid={subject_dn_component.uid})" msgstr "Příklad: (uri={subject_uri})" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:743 msgid "{issuer_dn_component[(.attr_name|[number]]}" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:746 msgid "" "This template will add an attribute value of a component of the issuer DN, " "by default the value of the most specific component." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:751 msgid "" "See 'subject_dn_component' for details about the attribute name and position " "specifiers." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:755 msgid "" "Example: LDAPU1:(domain={issuer_dn_component.[-2]}.{issuer_dn_component." "dc[-1]})" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:760 msgid "{sid[.rid]}" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:763 msgid "" "This template will add the SID if the corresponding extension introduced by " "Microsoft with the OID 1.3.6.1.4.1.311.25.2 is available. With the '.rid' " "selector only the last component, i.e. the RID, will be added." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:770 msgid "Example: LDAPU1:(objectsid={sid})" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sss-certmap.5.xml:779 msgid "DOMAIN LIST" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss-certmap.5.xml:781 msgid "" "If the domain list is not empty users mapped to a given certificate are not " "only searched in the local domain but in the listed domains as well as long " "as they are know by SSSD. Domains not know to SSSD will be ignored." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 msgid "sssd-ipa" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sssd-ipa.5.xml:17 msgid "SSSD IPA provider" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ipa.5.xml:23 msgid "" "This manual page describes the configuration of the IPA provider for " "<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " "</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " "FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ipa.5.xml:36 msgid "" "The IPA provider is a back end used to connect to an IPA server. (Refer to " "the freeipa.org web site for information about IPA servers.) This provider " "requires that the machine be joined to the IPA domain; configuration is " "almost entirely self-discovered and obtained directly from the server." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ipa.5.xml:43 msgid "" "The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " "provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry> authentication provider with " "optimizations for IPA environments. The IPA provider accepts the same " "options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " "However, it is neither necessary nor recommended to set these options." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ipa.5.xml:57 msgid "" "The IPA provider primarily copies the traditional ldap and krb5 provider " "default options with some exceptions, the differences are listed in the " "<quote>MODIFIED DEFAULT OPTIONS</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ipa.5.xml:62 msgid "" "As an access provider, the IPA provider has a minimal configuration (see " "<quote>ipa_access_order</quote>) as it mainly uses HBAC (host-based access " "control) rules. Please refer to freeipa.org for more information about HBAC." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ipa.5.xml:68 msgid "" "If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " "configured in sssd.conf then the id_provider must also be set to <quote>ipa</" "quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ipa.5.xml:74 msgid "" "The IPA provider will use the PAC responder if the Kerberos tickets of users " "from trusted realms contain a PAC. To make configuration easier the PAC " "responder is started automatically if the IPA ID provider is configured." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:90 msgid "ipa_domain (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:93 msgid "" "Specifies the name of the IPA domain. This is optional. If not provided, " "the configuration domain name is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:101 msgid "ipa_server, ipa_backup_server (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:104 msgid "" "The comma-separated list of IP addresses or hostnames of the IPA servers to " "which SSSD should connect in the order of preference. For more information " "on failover and server redundancy, see the <quote>FAILOVER</quote> section. " "This is optional if autodiscovery is enabled. For more information on " "service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:117 msgid "ipa_hostname (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:120 msgid "" "Optional. May be set on machines where the hostname(5) does not reflect the " "fully qualified name used in the IPA domain to identify this host. The " "hostname must be fully qualified." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:129 sssd-ad.5.xml:1181 msgid "dyndns_update (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:132 msgid "" "Optional. This option tells SSSD to automatically update the DNS server " "built into FreeIPA with the IP address of this client. The update is secured " "using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " "updates, if it is not otherwise specified by using the <quote>dyndns_iface</" "quote> option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:141 sssd-ad.5.xml:1195 msgid "" "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " "the default Kerberos realm must be set properly in /etc/krb5.conf" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:146 msgid "" "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" "emphasis> option, users should migrate to using <emphasis>dyndns_update</" "emphasis> in their config file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:158 sssd-ad.5.xml:1206 msgid "dyndns_ttl (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:161 sssd-ad.5.xml:1209 msgid "" "The TTL to apply to the client DNS record when updating it. If " "dyndns_update is false this has no effect. This will override the TTL " "serverside if set by an administrator." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:166 msgid "" "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" "emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" "emphasis> in their config file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:172 msgid "Default: 1200 (seconds)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:178 sssd-ad.5.xml:1220 msgid "dyndns_iface (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:181 sssd-ad.5.xml:1223 msgid "" "Optional. Applicable only when dyndns_update is true. Choose the interface " "or a list of interfaces whose IP addresses should be used for dynamic DNS " "updates. Special value <quote>*</quote> implies that IPs from all interfaces " "should be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:188 msgid "" "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" "emphasis> option, users should migrate to using <emphasis>dyndns_iface</" "emphasis> in their config file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:194 msgid "" "Default: Use the IP addresses of the interface which is used for IPA LDAP " "connection" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:198 sssd-ad.5.xml:1234 msgid "Example: dyndns_iface = em1, vnet1, vnet2" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:204 sssd-ad.5.xml:1290 msgid "dyndns_auth (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:207 sssd-ad.5.xml:1293 msgid "" "Whether the nsupdate utility should use GSS-TSIG authentication for secure " "updates with the DNS server, insecure updates can be sent by setting this " "option to 'none'." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:213 sssd-ad.5.xml:1299 msgid "Default: GSS-TSIG" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:219 sssd-ad.5.xml:1305 msgid "dyndns_auth_ptr (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:222 sssd-ad.5.xml:1308 msgid "" "Whether the nsupdate utility should use GSS-TSIG authentication for secure " "PTR updates with the DNS server, insecure updates can be sent by setting " "this option to 'none'." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:228 sssd-ad.5.xml:1314 msgid "Default: Same as dyndns_auth" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:234 msgid "ipa_enable_dns_sites (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:237 sssd-ad.5.xml:238 msgid "Enables DNS sites - location based service discovery." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:241 msgid "" "If true and service discovery (see Service Discovery paragraph at the bottom " "of the man page) is enabled, then the SSSD will first attempt location " "based discovery using a query that contains \"_location.hostname.example." "com\" and then fall back to traditional SRV discovery. If the location based " "discovery succeeds, the IPA servers located with the location based " "discovery are treated as primary servers and the IPA servers located using " "the traditional SRV discovery are used as back up servers" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:260 sssd-ad.5.xml:1240 msgid "dyndns_refresh_interval (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:263 msgid "" "How often should the back end perform periodic DNS update in addition to the " "automatic update performed when the back end goes online. This option is " "optional and applicable only when dyndns_update is true." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:276 sssd-ad.5.xml:1258 msgid "dyndns_update_ptr (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:279 sssd-ad.5.xml:1261 msgid "" "Whether the PTR record should also be explicitly updated when updating the " "client's DNS records. Applicable only when dyndns_update is true." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:284 msgid "" "This option should be False in most IPA deployments as the IPA server " "generates the PTR records automatically when forward records are changed." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:290 sssd-ad.5.xml:1266 msgid "" "Note that <emphasis>dyndns_update_per_family</emphasis> parameter does not " "apply for PTR record updates. Those updates are always sent separately." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:295 msgid "Default: False (disabled)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:301 sssd-ad.5.xml:1277 msgid "dyndns_force_tcp (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:304 sssd-ad.5.xml:1280 msgid "" "Whether the nsupdate utility should default to using TCP for communicating " "with the DNS server." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:308 sssd-ad.5.xml:1284 msgid "Default: False (let nsupdate choose the protocol)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:314 sssd-ad.5.xml:1320 msgid "dyndns_server (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:317 sssd-ad.5.xml:1323 msgid "" "The DNS server to use when performing a DNS update. In most setups, it's " "recommended to leave this option unset." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:322 sssd-ad.5.xml:1328 msgid "" "Setting this option makes sense for environments where the DNS server is " "different from the identity server." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:327 sssd-ad.5.xml:1333 msgid "" "Please note that this option will be only used in fallback attempt when " "previous attempt using autodetected settings failed." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:332 sssd-ad.5.xml:1338 msgid "Default: None (let nsupdate choose the server)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:338 sssd-ad.5.xml:1344 msgid "dyndns_update_per_family (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:341 sssd-ad.5.xml:1347 msgid "" "DNS update is by default performed in two steps - IPv4 update and then IPv6 " "update. In some cases it might be desirable to perform IPv4 and IPv6 update " "in single step." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:353 #, fuzzy #| msgid "krb5_rcache_dir (string)" msgid "ipa_access_order (string)" msgstr "krb5_rcache_dir (řetězec)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:360 msgid "<emphasis>expire</emphasis>: use IPA's account expiration policy." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:399 msgid "" "Please note that 'access_provider = ipa' must be set for this feature to " "work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:406 msgid "ipa_deskprofile_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:409 msgid "" "Optional. Use the given string as search base for Desktop Profile related " "objects." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:413 sssd-ipa.5.xml:440 msgid "Default: Use base DN" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:419 #, fuzzy #| msgid "simple_deny_users (string)" msgid "ipa_subid_ranges_search_base (string)" msgstr "simple_deny_users (řetězec)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:422 msgid "" "Optional. Use the given string as search base for subordinate ranges related " "objects." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:426 msgid "Default: the value of <emphasis>cn=subids,%basedn</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:433 msgid "ipa_hbac_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:436 msgid "Optional. Use the given string as search base for HBAC related objects." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:446 msgid "ipa_host_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:449 msgid "Deprecated. Use ldap_host_search_base instead." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:455 msgid "ipa_selinux_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:458 msgid "Optional. Use the given string as search base for SELinux user maps." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:474 msgid "ipa_subdomains_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:477 msgid "Optional. Use the given string as search base for trusted domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:486 msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:493 msgid "ipa_master_domain_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:496 msgid "Optional. Use the given string as search base for master domain object." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:505 msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:512 msgid "ipa_views_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:515 msgid "Optional. Use the given string as search base for views containers." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:524 msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:534 msgid "" "The name of the Kerberos realm. This is optional and defaults to the value " "of <quote>ipa_domain</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:538 msgid "" "The name of the Kerberos realm has a special meaning in IPA - it is " "converted into the base DN to use for performing LDAP operations." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:546 sssd-ad.5.xml:1362 msgid "krb5_confd_path (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:549 sssd-ad.5.xml:1365 msgid "" "Absolute path of a directory where SSSD should place Kerberos configuration " "snippets." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:553 sssd-ad.5.xml:1369 msgid "" "To disable the creation of the configuration snippets set the parameter to " "'none'." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:557 sssd-ad.5.xml:1373 msgid "" "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:564 msgid "ipa_deskprofile_refresh (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:567 msgid "" "The amount of time between lookups of the Desktop Profile rules against the " "IPA server. This will reduce the latency and load on the IPA server if there " "are many desktop profiles requests made in a short period." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:574 sssd-ipa.5.xml:604 sssd-ipa.5.xml:620 sssd-ad.5.xml:599 msgid "Default: 5 (seconds)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:580 msgid "ipa_deskprofile_request_interval (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:583 msgid "" "The amount of time between lookups of the Desktop Profile rules against the " "IPA server in case the last request did not return any rule." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:588 msgid "Default: 60 (minutes)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:594 msgid "ipa_hbac_refresh (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:597 msgid "" "The amount of time between lookups of the HBAC rules against the IPA server. " "This will reduce the latency and load on the IPA server if there are many " "access-control requests made in a short period." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:610 msgid "ipa_hbac_selinux (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:613 msgid "" "The amount of time between lookups of the SELinux maps against the IPA " "server. This will reduce the latency and load on the IPA server if there are " "many user login requests made in a short period." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:626 msgid "ipa_server_mode (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:629 msgid "" "This option will be set by the IPA installer (ipa-server-install) " "automatically and denotes if SSSD is running on an IPA server or not." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:634 msgid "" "On an IPA server SSSD will lookup users and groups from trusted domains " "directly while on a client it will ask an IPA server." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:639 msgid "" "NOTE: There are currently some assumptions that must be met when SSSD is " "running on an IPA server." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ipa.5.xml:644 msgid "" "The <quote>ipa_server</quote> option must be configured to point to the IPA " "server itself. This is already the default set by the IPA installer, so no " "manual change is required." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ipa.5.xml:653 msgid "" "The <quote>full_name_format</quote> option must not be tweaked to only print " "short names for users from trusted domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:668 msgid "ipa_automount_location (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:671 msgid "The automounter location this IPA client will be using" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:674 msgid "Default: The location named \"default\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd-ipa.5.xml:682 msgid "VIEWS AND OVERRIDES" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:691 msgid "ipa_view_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:694 msgid "Objectclass of the view container." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:697 msgid "Default: nsContainer" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:703 msgid "ipa_view_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:706 msgid "Name of the attribute holding the name of the view." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:710 sssd-ldap-attributes.5.xml:496 #: sssd-ldap-attributes.5.xml:832 sssd-ldap-attributes.5.xml:913 #: sssd-ldap-attributes.5.xml:1010 sssd-ldap-attributes.5.xml:1068 #: sssd-ldap-attributes.5.xml:1226 sssd-ldap-attributes.5.xml:1271 msgid "Default: cn" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:716 msgid "ipa_override_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:719 msgid "Objectclass of the override objects." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:722 msgid "Default: ipaOverrideAnchor" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:728 msgid "ipa_anchor_uuid (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:731 msgid "" "Name of the attribute containing the reference to the original object in a " "remote domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:735 msgid "Default: ipaAnchorUUID" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:741 msgid "ipa_user_override_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:744 msgid "" "Name of the objectclass for user overrides. It is used to determine if the " "found override object is related to a user or a group." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:749 msgid "User overrides can contain attributes given by" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ipa.5.xml:752 msgid "ldap_user_name" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ipa.5.xml:755 msgid "ldap_user_uid_number" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ipa.5.xml:758 msgid "ldap_user_gid_number" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ipa.5.xml:761 msgid "ldap_user_gecos" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ipa.5.xml:764 msgid "ldap_user_home_directory" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ipa.5.xml:767 msgid "ldap_user_shell" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ipa.5.xml:770 msgid "ldap_user_ssh_public_key" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:775 msgid "Default: ipaUserOverride" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:781 msgid "ipa_group_override_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:784 msgid "" "Name of the objectclass for group overrides. It is used to determine if the " "found override object is related to a user or a group." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:789 msgid "Group overrides can contain attributes given by" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ipa.5.xml:792 msgid "ldap_group_name" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ipa.5.xml:795 msgid "ldap_group_gid_number" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:800 msgid "Default: ipaGroupOverride" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd-ipa.5.xml:684 msgid "" "SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " "later version. Since all paths and objectclasses are fixed on the server " "side there is basically no need to configure anything. For completeness the " "related options are listed here with their default values. <placeholder " "type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ipa.5.xml:812 msgid "SUBDOMAINS PROVIDER" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ipa.5.xml:814 msgid "" "The IPA subdomains provider behaves slightly differently if it is configured " "explicitly or implicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ipa.5.xml:818 msgid "" "If the option 'subdomains_provider = ipa' is found in the domain section of " "sssd.conf, the IPA subdomains provider is configured explicitly, and all " "subdomain requests are sent to the IPA server if necessary." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ipa.5.xml:824 msgid "" "If the option 'subdomains_provider' is not set in the domain section of sssd." "conf but there is the option 'id_provider = ipa', the IPA subdomains " "provider is configured implicitly. In this case, if a subdomain request " "fails and indicates that the server does not support subdomains, i.e. is not " "configured for trusts, the IPA subdomains provider is disabled. After an " "hour or after the IPA provider goes online, the subdomains provider is " "enabled again." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ipa.5.xml:835 msgid "TRUSTED DOMAINS CONFIGURATION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-ipa.5.xml:843 #, no-wrap msgid "" "[domain/ipa.domain.com/ad.domain.com]\n" "ad_server = dc.ad.domain.com\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ipa.5.xml:837 msgid "" "Some configuration options can also be set for a trusted domain. A trusted " "domain configuration can be set using the trusted domain subsection as shown " "in the example below. Alternatively, the <quote>subdomain_inherit</quote> " "option can be used in the parent domain. <placeholder " "type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ipa.5.xml:848 msgid "" "For more details, see the <citerefentry> <refentrytitle>sssd.conf</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ipa.5.xml:855 msgid "" "Different configuration options are tunable for a trusted domain depending " "on whether you are configuring SSSD on an IPA server or an IPA client." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd-ipa.5.xml:860 msgid "OPTIONS TUNABLE ON IPA MASTERS" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd-ipa.5.xml:862 msgid "" "The following options can be set in a subdomain section on an IPA master:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> #: sssd-ipa.5.xml:866 sssd-ipa.5.xml:896 msgid "ad_server" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> #: sssd-ipa.5.xml:869 msgid "ad_backup_server" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> #: sssd-ipa.5.xml:872 sssd-ipa.5.xml:899 msgid "ad_site" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> #: sssd-ipa.5.xml:875 msgid "ldap_search_base" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> #: sssd-ipa.5.xml:878 msgid "ldap_user_search_base" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> #: sssd-ipa.5.xml:881 msgid "ldap_group_search_base" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd-ipa.5.xml:890 msgid "OPTIONS TUNABLE ON IPA CLIENTS" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd-ipa.5.xml:892 msgid "" "The following options can be set in a subdomain section on an IPA client:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd-ipa.5.xml:904 msgid "" "Note that if both options are set, only <quote>ad_server</quote> is " "evaluated." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd-ipa.5.xml:908 msgid "" "Since any request for a user or a group identity from a trusted domain " "triggered from an IPA client is resolved by the IPA server, the " "<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " "which AD DC will the authentication be performed against. In particular, the " "addresses resolved from these lists will be written to <quote>kdcinfo</" "quote> files read by the Kerberos locator plugin. Please refer to the " "<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " "<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " "Kerberos locator plugin." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ipa.5.xml:932 msgid "" "The following example assumes that SSSD is correctly configured and example." "com is one of the domains in the <replaceable>[sssd]</replaceable> section. " "This examples shows only the ipa provider-specific options." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-ipa.5.xml:939 #, no-wrap msgid "" "[domain/example.com]\n" "id_provider = ipa\n" "ipa_server = ipaserver.example.com\n" "ipa_hostname = myhost.example.com\n" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssd-ad.5.xml:10 sssd-ad.5.xml:16 msgid "sssd-ad" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sssd-ad.5.xml:17 msgid "SSSD Active Directory provider" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ad.5.xml:23 msgid "" "This manual page describes the configuration of the AD provider for " "<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " "</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " "FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ad.5.xml:36 msgid "" "The AD provider is a back end used to connect to an Active Directory server. " "This provider requires that the machine be joined to the AD domain and a " "keytab is available. Back end communication occurs over a GSSAPI-encrypted " "channel, SSL/TLS options should not be used with the AD provider and will be " "superseded by Kerberos usage." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ad.5.xml:44 msgid "" "The AD provider supports connecting to Active Directory 2008 R2 or later. " "Earlier versions may work, but are unsupported." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ad.5.xml:48 msgid "" "The AD provider can be used to get user information and authenticate users " "from trusted domains. Currently only trusted domains in the same forest are " "recognized. In addition servers from trusted domains are always auto-" "discovered." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ad.5.xml:54 msgid "" "The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " "provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry> authentication provider with " "optimizations for Active Directory environments. The AD provider accepts the " "same options used by the sssd-ldap and sssd-krb5 providers with some " "exceptions. However, it is neither necessary nor recommended to set these " "options." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ad.5.xml:69 msgid "" "The AD provider primarily copies the traditional ldap and krb5 provider " "default options with some exceptions, the differences are listed in the " "<quote>MODIFIED DEFAULT OPTIONS</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ad.5.xml:74 msgid "" "The AD provider can also be used as an access, chpass, sudo and autofs " "provider. No configuration of the access provider is required on the client " "side." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ad.5.xml:79 msgid "" "If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " "configured in sssd.conf then the id_provider must also be set to <quote>ad</" "quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-ad.5.xml:91 #, no-wrap msgid "" "ldap_id_mapping = False\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ad.5.xml:85 msgid "" "By default, the AD provider will map UID and GID values from the objectSID " "parameter in Active Directory. For details on this, see the <quote>ID " "MAPPING</quote> section below. If you want to disable ID mapping and instead " "rely on POSIX attributes defined in Active Directory, you should set " "<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " "be used, it is recommended for performance reasons that the attributes are " "also replicated to the Global Catalog. If POSIX attributes are replicated, " "SSSD will attempt to locate the domain of a requested numerical ID with the " "help of the Global Catalog and only search that domain. In contrast, if " "POSIX attributes are not replicated to the Global Catalog, SSSD must search " "all the domains in the forest sequentially. Please note that the " "<quote>cache_first</quote> option might be also helpful in speeding up " "domainless searches. Note that if only a subset of POSIX attributes is " "present in the Global Catalog, the non-replicated attributes are currently " "not read from the LDAP port." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ad.5.xml:108 msgid "" "Users, groups and other entities served by SSSD are always treated as case-" "insensitive in the AD provider for compatibility with Active Directory's " "LDAP implementation." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ad.5.xml:113 msgid "" "SSSD only resolves Active Directory Security Groups. For more information " "about AD group types see: <ulink url=\"https://docs.microsoft.com/en-us/" "windows-server/identity/ad-ds/manage/understand-security-groups\"> Active " "Directory security groups</ulink>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ad.5.xml:120 msgid "" "SSSD filters out Domain Local groups from remote domains in the AD forest. " "By default they are filtered out e.g. when following a nested group " "hierarchy in remote domains because they are not valid in the local domain. " "This is done to be in agreement with Active Directory's group-membership " "assignment which can be seen in the PAC of the Kerberos ticket of a user " "issued by Active Directory." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:138 msgid "ad_domain (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:141 msgid "" "Specifies the name of the Active Directory domain. This is optional. If not " "provided, the configuration domain name is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:146 msgid "" "For proper operation, this option should be specified as the lower-case " "version of the long version of the Active Directory domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:151 msgid "" "The short domain name (also known as the NetBIOS or the flat name) is " "autodetected by the SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:158 msgid "ad_enabled_domains (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:161 msgid "" "A comma-separated list of enabled Active Directory domains. If provided, " "SSSD will ignore any domains not listed in this option. If left unset, all " "discovered domains from the AD forest will be available." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:168 msgid "" "During the discovery of the domains SSSD will filter out some domains where " "flags or attributes indicate that they do not belong to the local forest or " "are not trusted. If ad_enabled_domains is set, SSSD will try to enable all " "listed domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> #: sssd-ad.5.xml:179 #, no-wrap msgid "" "ad_enabled_domains = sales.example.com, eng.example.com\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:175 msgid "" "For proper operation, this option must be specified in all lower-case and as " "the fully qualified domain name of the Active Directory domain. For example: " "<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:183 msgid "" "The short domain name (also known as the NetBIOS or the flat name) will be " "autodetected by SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:193 msgid "ad_server, ad_backup_server (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:196 msgid "" "The comma-separated list of hostnames of the AD servers to which SSSD should " "connect in order of preference. For more information on failover and server " "redundancy, see the <quote>FAILOVER</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:203 msgid "" "This is optional if autodiscovery is enabled. For more information on " "service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:208 msgid "" "Note: Trusted domains will always auto-discover servers even if the primary " "server is explicitly defined in the ad_server option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:216 msgid "ad_hostname (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:219 msgid "" "Optional. On machines where the hostname(5) does not reflect the fully " "qualified name, sssd will try to expand the short name. If it is not " "possible or the short name should be really used instead, set this parameter " "explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:226 msgid "" "This field is used to determine the host principal in use in the keytab and " "to perform dynamic DNS updates. It must match the hostname for which the " "keytab was issued." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:235 msgid "ad_enable_dns_sites (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:242 msgid "" "If true and service discovery (see Service Discovery paragraph at the bottom " "of the man page) is enabled, the SSSD will first attempt to discover the " "Active Directory server to connect to using the Active Directory Site " "Discovery and fall back to the DNS SRV records if no AD site is found. The " "DNS SRV configuration, including the discovery domain, is used during site " "discovery as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:258 msgid "ad_access_filter (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:261 msgid "" "This option specifies LDAP access control filter that the user must match in " "order to be allowed access. Please note that the <quote>access_provider</" "quote> option must be explicitly set to <quote>ad</quote> in order for this " "option to have an effect." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:269 msgid "" "The option also supports specifying different filters per domain or forest. " "This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " "The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " "missing." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:277 msgid "" "If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" "quote> specifies the domain or subdomain the filter applies to. If the " "keyword equals to <quote>FOREST</quote>, then the filter equals to all " "domains from the forest specified by <quote>NAME</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:285 msgid "" "Multiple filters can be separated with the <quote>?</quote> character, " "similarly to how search bases work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:290 msgid "" "Nested group membership must be searched for using a special OID " "<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." "example.org: syntax to ensure the parser does not attempt to interpret the " "colon characters associated with the OID. If you do not use this OID then " "nested group membership will not be resolved. See usage example below and " "refer here for further information about the OID: <ulink url=\"https://msdn." "microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " "extensions</ulink>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:303 msgid "" "The most specific match is always used. For example, if the option specified " "filter for a domain the user is a member of and a global filter, the per-" "domain filter would be applied. If there are more matches with the same " "specification, the first one is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> #: sssd-ad.5.xml:314 #, no-wrap msgid "" "# apply filter on domain called dom1 only:\n" "dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" "\n" "# apply filter on domain called dom2 only:\n" "DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" "\n" "# apply filter on forest called EXAMPLE.COM only:\n" "FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" "\n" "# apply filter for a member of a nested group in dom1:\n" "DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:333 msgid "ad_site (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:336 msgid "" "Specify AD site to which client should try to connect. If this option is " "not provided, the AD site will be auto-discovered." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:347 msgid "ad_enable_gc (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:350 msgid "" "By default, the SSSD connects to the Global Catalog first to retrieve users " "from trusted domains and uses the LDAP port to retrieve group memberships or " "as a fallback. Disabling this option makes the SSSD only connect to the LDAP " "port of the current AD server." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:358 msgid "" "Please note that disabling Global Catalog support does not disable " "retrieving users from trusted domains. The SSSD would connect to the LDAP " "port of trusted domains instead. However, Global Catalog must be used in " "order to resolve cross-domain group memberships." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:372 msgid "ad_gpo_access_control (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:375 msgid "" "This option specifies the operation mode for GPO-based access control " "functionality: whether it operates in disabled mode, enforcing mode, or " "permissive mode. Please note that the <quote>access_provider</quote> option " "must be explicitly set to <quote>ad</quote> in order for this option to have " "an effect." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:384 msgid "" "GPO-based access control functionality uses GPO policy settings to determine " "whether or not a particular user is allowed to logon to the host. For more " "information on the supported policy settings please refer to the " "<quote>ad_gpo_map</quote> options." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:392 msgid "" "Please note that current version of SSSD does not support Active Directory's " "built-in groups. Built-in groups (such as Administrators with SID " "S-1-5-32-544) in GPO access control rules will be ignored by SSSD. See " "upstream issue tracker https://github.com/SSSD/sssd/issues/5063 ." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:401 msgid "" "Before performing access control SSSD applies group policy security " "filtering on the GPOs. For every single user login, the applicability of the " "GPOs that are linked to the host is checked. In order for a GPO to apply to " "a user, the user or at least one of the groups to which it belongs must have " "following permissions on the GPO:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:411 msgid "" "Read: The user or one of its groups must have read access to the properties " "of the GPO (RIGHT_DS_READ_PROPERTY)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:418 msgid "" "Apply Group Policy: The user or at least one of its groups must be allowed " "to apply the GPO (RIGHT_DS_CONTROL_ACCESS)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:426 msgid "" "By default, the Authenticated Users group is present on a GPO and this group " "has both Read and Apply Group Policy access rights. Since authentication of " "a user must have been completed successfully before GPO security filtering " "and access control are started, the Authenticated Users group permissions on " "the GPO always apply also to the user." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:435 msgid "" "NOTE: If the operation mode is set to enforcing, it is possible that users " "that were previously allowed logon access will now be denied logon access " "(as dictated by the GPO policy settings). In order to facilitate a smooth " "transition for administrators, a permissive mode is available that will not " "enforce the access control rules, but will evaluate them and will output a " "syslog message if access would have been denied. By examining the logs, " "administrators can then make the necessary changes before setting the mode " "to enforcing. For logging GPO-based access control debug level 'trace " "functions' is required (see <citerefentry> <refentrytitle>sssctl</" "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:454 msgid "There are three supported values for this option:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:458 msgid "" "disabled: GPO-based access control rules are neither evaluated nor enforced." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:464 msgid "enforcing: GPO-based access control rules are evaluated and enforced." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:470 msgid "" "permissive: GPO-based access control rules are evaluated, but not enforced. " "Instead, a syslog message will be emitted indicating that the user would " "have been denied access if this option's value were set to enforcing." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:481 msgid "Default: permissive" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:484 msgid "Default: enforcing" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:490 msgid "ad_gpo_implicit_deny (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:493 msgid "" "Normally when no applicable GPOs are found the users are allowed access. " "When this option is set to True users will be allowed access only when " "explicitly allowed by a GPO rule. Otherwise users will be denied access. " "This can be used to harden security but be careful when using this option " "because it can deny access even to users in the built-in Administrators " "group if no GPO rules apply to them." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:509 msgid "" "The following 2 tables should illustrate when a user is allowed or rejected " "based on the allow and deny login rights defined on the server-side and the " "setting of ad_gpo_implicit_deny." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry> #: sssd-ad.5.xml:521 msgid "ad_gpo_implicit_deny = False (default)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry> #: sssd-ad.5.xml:522 sssd-ad.5.xml:548 msgid "allow-rules" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry> #: sssd-ad.5.xml:522 sssd-ad.5.xml:548 msgid "deny-rules" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry> #: sssd-ad.5.xml:523 sssd-ad.5.xml:549 msgid "results" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry> #: sssd-ad.5.xml:526 sssd-ad.5.xml:529 sssd-ad.5.xml:532 sssd-ad.5.xml:552 #: sssd-ad.5.xml:555 sssd-ad.5.xml:558 msgid "missing" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para> #: sssd-ad.5.xml:527 msgid "all users are allowed" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry> #: sssd-ad.5.xml:529 sssd-ad.5.xml:532 sssd-ad.5.xml:535 sssd-ad.5.xml:555 #: sssd-ad.5.xml:558 sssd-ad.5.xml:561 msgid "present" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para> #: sssd-ad.5.xml:530 msgid "only users not in deny-rules are allowed" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para> #: sssd-ad.5.xml:533 sssd-ad.5.xml:559 msgid "only users in allow-rules are allowed" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para> #: sssd-ad.5.xml:536 sssd-ad.5.xml:562 msgid "only users in allow-rules and not in deny-rules are allowed" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry> #: sssd-ad.5.xml:547 msgid "ad_gpo_implicit_deny = True" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para> #: sssd-ad.5.xml:553 sssd-ad.5.xml:556 msgid "no users are allowed" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:569 msgid "ad_gpo_ignore_unreadable (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:572 msgid "" "Normally when some group policy containers (AD object) of applicable group " "policy objects are not readable by SSSD then users are denied access. This " "option allows to ignore group policy containers and with them associated " "policies if their attributes in group policy containers are not readable for " "SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:589 msgid "ad_gpo_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:592 msgid "" "The amount of time between lookups of GPO policy files against the AD " "server. This will reduce the latency and load on the AD server if there are " "many access-control requests made in a short period." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:605 msgid "ad_gpo_map_interactive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:608 msgid "" "A comma-separated list of PAM service names for which GPO-based access " "control is evaluated based on the InteractiveLogonRight and " "DenyInteractiveLogonRight policy settings. Only those GPOs are evaluated " "for which the user has Read and Apply Group Policy permission (see option " "<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " "deny interactive logon setting for the user or one of its groups, the user " "is denied local access. If none of the evaluated GPOs has an interactive " "logon right defined, the user is granted local access. If at least one " "evaluated GPO contains interactive logon right settings, the user is granted " "local access only, if it or at least one of its groups is part of the policy " "settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:626 msgid "" "Note: Using the Group Policy Management Editor this value is called \"Allow " "log on locally\" and \"Deny log on locally\"." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> #: sssd-ad.5.xml:640 #, no-wrap msgid "" "ad_gpo_map_interactive = +my_pam_service, -login\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:631 msgid "" "It is possible to add another PAM service name to the default set by using " "<quote>+service_name</quote> or to explicitly remove a PAM service name from " "the default set by using <quote>-service_name</quote>. For example, in " "order to replace a default PAM service name for this logon right (e.g. " "<quote>login</quote>) with a custom pam service name (e.g. " "<quote>my_pam_service</quote>), you would use the following configuration: " "<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:663 msgid "gdm-fingerprint" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:683 msgid "lightdm" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:688 msgid "lxdm" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:693 msgid "sddm" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:698 msgid "unity" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:703 msgid "xdm" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:712 msgid "ad_gpo_map_remote_interactive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:715 msgid "" "A comma-separated list of PAM service names for which GPO-based access " "control is evaluated based on the RemoteInteractiveLogonRight and " "DenyRemoteInteractiveLogonRight policy settings. Only those GPOs are " "evaluated for which the user has Read and Apply Group Policy permission (see " "option <quote>ad_gpo_access_control</quote>). If an evaluated GPO contains " "the deny remote logon setting for the user or one of its groups, the user is " "denied remote interactive access. If none of the evaluated GPOs has a " "remote interactive logon right defined, the user is granted remote access. " "If at least one evaluated GPO contains remote interactive logon right " "settings, the user is granted remote access only, if it or at least one of " "its groups is part of the policy settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:734 msgid "" "Note: Using the Group Policy Management Editor this value is called \"Allow " "log on through Remote Desktop Services\" and \"Deny log on through Remote " "Desktop Services\"." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> #: sssd-ad.5.xml:749 #, no-wrap msgid "" "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:740 msgid "" "It is possible to add another PAM service name to the default set by using " "<quote>+service_name</quote> or to explicitly remove a PAM service name from " "the default set by using <quote>-service_name</quote>. For example, in " "order to replace a default PAM service name for this logon right (e.g. " "<quote>sshd</quote>) with a custom pam service name (e.g. " "<quote>my_pam_service</quote>), you would use the following configuration: " "<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:757 msgid "sshd" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:762 msgid "cockpit" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:771 msgid "ad_gpo_map_network (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:774 msgid "" "A comma-separated list of PAM service names for which GPO-based access " "control is evaluated based on the NetworkLogonRight and " "DenyNetworkLogonRight policy settings. Only those GPOs are evaluated for " "which the user has Read and Apply Group Policy permission (see option " "<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " "deny network logon setting for the user or one of its groups, the user is " "denied network logon access. If none of the evaluated GPOs has a network " "logon right defined, the user is granted logon access. If at least one " "evaluated GPO contains network logon right settings, the user is granted " "logon access only, if it or at least one of its groups is part of the policy " "settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:792 msgid "" "Note: Using the Group Policy Management Editor this value is called \"Access " "this computer from the network\" and \"Deny access to this computer from the " "network\"." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> #: sssd-ad.5.xml:807 #, no-wrap msgid "" "ad_gpo_map_network = +my_pam_service, -ftp\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:798 msgid "" "It is possible to add another PAM service name to the default set by using " "<quote>+service_name</quote> or to explicitly remove a PAM service name from " "the default set by using <quote>-service_name</quote>. For example, in " "order to replace a default PAM service name for this logon right (e.g. " "<quote>ftp</quote>) with a custom pam service name (e.g. " "<quote>my_pam_service</quote>), you would use the following configuration: " "<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:815 msgid "ftp" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:820 msgid "samba" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:829 msgid "ad_gpo_map_batch (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:832 msgid "" "A comma-separated list of PAM service names for which GPO-based access " "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " "policy settings. Only those GPOs are evaluated for which the user has Read " "and Apply Group Policy permission (see option <quote>ad_gpo_access_control</" "quote>). If an evaluated GPO contains the deny batch logon setting for the " "user or one of its groups, the user is denied batch logon access. If none " "of the evaluated GPOs has a batch logon right defined, the user is granted " "logon access. If at least one evaluated GPO contains batch logon right " "settings, the user is granted logon access only, if it or at least one of " "its groups is part of the policy settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:850 msgid "" "Note: Using the Group Policy Management Editor this value is called \"Allow " "log on as a batch job\" and \"Deny log on as a batch job\"." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> #: sssd-ad.5.xml:864 #, no-wrap msgid "" "ad_gpo_map_batch = +my_pam_service, -crond\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:855 msgid "" "It is possible to add another PAM service name to the default set by using " "<quote>+service_name</quote> or to explicitly remove a PAM service name from " "the default set by using <quote>-service_name</quote>. For example, in " "order to replace a default PAM service name for this logon right (e.g. " "<quote>crond</quote>) with a custom pam service name (e.g. " "<quote>my_pam_service</quote>), you would use the following configuration: " "<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:867 msgid "" "Note: Cron service name may differ depending on Linux distribution used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:873 msgid "crond" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:882 msgid "ad_gpo_map_service (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:885 msgid "" "A comma-separated list of PAM service names for which GPO-based access " "control is evaluated based on the ServiceLogonRight and " "DenyServiceLogonRight policy settings. Only those GPOs are evaluated for " "which the user has Read and Apply Group Policy permission (see option " "<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " "deny service logon setting for the user or one of its groups, the user is " "denied service logon access. If none of the evaluated GPOs has a service " "logon right defined, the user is granted logon access. If at least one " "evaluated GPO contains service logon right settings, the user is granted " "logon access only, if it or at least one of its groups is part of the policy " "settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:903 msgid "" "Note: Using the Group Policy Management Editor this value is called \"Allow " "log on as a service\" and \"Deny log on as a service\"." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> #: sssd-ad.5.xml:916 #, no-wrap msgid "" "ad_gpo_map_service = +my_pam_service\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:908 sssd-ad.5.xml:983 msgid "" "It is possible to add a PAM service name to the default set by using " "<quote>+service_name</quote>. Since the default set is empty, it is not " "possible to remove a PAM service name from the default set. For example, in " "order to add a custom pam service name (e.g. <quote>my_pam_service</quote>), " "you would use the following configuration: <placeholder " "type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:926 msgid "ad_gpo_map_permit (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:929 msgid "" "A comma-separated list of PAM service names for which GPO-based access is " "always granted, regardless of any GPO Logon Rights." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> #: sssd-ad.5.xml:943 #, no-wrap msgid "" "ad_gpo_map_permit = +my_pam_service, -sudo\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:934 msgid "" "It is possible to add another PAM service name to the default set by using " "<quote>+service_name</quote> or to explicitly remove a PAM service name from " "the default set by using <quote>-service_name</quote>. For example, in " "order to replace a default PAM service name for unconditionally permitted " "access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " "<quote>my_pam_service</quote>), you would use the following configuration: " "<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:951 msgid "polkit-1" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:966 msgid "systemd-user" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:975 msgid "ad_gpo_map_deny (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:978 msgid "" "A comma-separated list of PAM service names for which GPO-based access is " "always denied, regardless of any GPO Logon Rights." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> #: sssd-ad.5.xml:991 #, no-wrap msgid "" "ad_gpo_map_deny = +my_pam_service\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:1001 msgid "ad_gpo_default_right (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:1004 msgid "" "This option defines how access control is evaluated for PAM service names " "that are not explicitly listed in one of the ad_gpo_map_* options. This " "option can be set in two different manners. First, this option can be set to " "use a default logon right. For example, if this option is set to " "'interactive', it means that unmapped PAM service names will be processed " "based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " "settings. Alternatively, this option can be set to either always permit or " "always deny access for unmapped PAM service names." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:1017 msgid "Supported values for this option include:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:1026 msgid "remote_interactive" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:1031 msgid "network" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:1036 msgid "batch" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:1041 msgid "service" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:1046 msgid "permit" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:1051 msgid "deny" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:1057 msgid "Default: deny" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:1063 msgid "ad_maximum_machine_account_password_age (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:1066 msgid "" "SSSD will check once a day if the machine account password is older than the " "given age in days and try to renew it. A value of 0 will disable the renewal " "attempt." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:1072 msgid "Default: 30 days" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:1078 msgid "ad_machine_account_password_renewal_opts (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:1081 msgid "" "This option should only be used to test the machine account renewal task. " "The option expects 2 integers separated by a colon (':'). The first integer " "defines the interval in seconds how often the task is run. The second " "specifies the initial timeout in seconds before the task is run for the " "first time after startup." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:1090 msgid "Default: 86400:750 (24h and 15m)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:1096 msgid "ad_update_samba_machine_account_password (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:1099 msgid "" "If enabled, when SSSD renews the machine account password, it will also be " "updated in Samba's database. This prevents Samba's copy of the machine " "account password from getting out of date when it is set up to use AD for " "authentication." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:1112 msgid "ad_use_ldaps (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:1115 msgid "" "By default SSSD uses the plain LDAP port 389 and the Global Catalog port " "3628. If this option is set to True SSSD will use the LDAPS port 636 and " "Global Catalog port 3629 with LDAPS protection. Since AD does not allow to " "have multiple encryption layers on a single connection and we still want to " "use SASL/GSSAPI or SASL/GSS-SPNEGO for authentication the SASL security " "property maxssf is set to 0 (zero) for those connections." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:1132 msgid "ad_allow_remote_domain_local_groups (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:1135 msgid "" "If this option is set to <quote>true</quote> SSSD will not filter out Domain " "Local groups from remote domains in the AD forest. By default they are " "filtered out e.g. when following a nested group hierarchy in remote domains " "because they are not valid in the local domain. To be compatible with other " "solutions which make AD users and groups available on Linux client this " "option was added." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:1145 msgid "" "Please note that setting this option to <quote>true</quote> will be against " "the intention of Domain Local group in Active Directory and <emphasis>SHOULD " "ONLY BE USED TO FACILITATE MIGRATION FROM OTHER SOLUTIONS</emphasis>. " "Although the group exists and user can be member of the group the intention " "is that the group should be only used in the domain it is defined and in no " "others. Since there is only one type of POSIX groups the only way to achieve " "this on the Linux side is to ignore those groups. This is also done by " "Active Directory as can be seen in the PAC of the Kerberos ticket for a " "local service or in tokenGroups requests where remote Domain Local groups " "are missing as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:1161 msgid "" "Given the comments above, if this option is set to <quote>true</quote> the " "tokenGroups request must be disabled by setting <quote>ldap_use_tokengroups</" "quote> to <quote>false</quote> to get consistent group-memberships of a " "users. Additionally the Global Catalog lookup should be skipped as well by " "setting <quote>ad_enable_gc</quote> to <quote>false</quote>. Finally it " "might be necessary to modify <quote>ldap_group_nesting_level</quote> if the " "remote Domain Local groups can only be found with a deeper nesting level." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:1184 msgid "" "Optional. This option tells SSSD to automatically update the Active " "Directory DNS server with the IP address of this client. The update is " "secured using GSS-TSIG. As a consequence, the Active Directory administrator " "only needs to allow secure updates for the DNS zone. The IP address of the " "AD LDAP connection is used for the updates, if it is not otherwise specified " "by using the <quote>dyndns_iface</quote> option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:1214 msgid "Default: 3600 (seconds)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:1230 msgid "" "Default: Use the IP addresses of the interface which is used for AD LDAP " "connection" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:1243 msgid "" "How often should the back end perform periodic DNS update in addition to the " "automatic update performed when the back end goes online. This option is " "optional and applicable only when dyndns_update is true. Note that the " "lowest possible value is 60 seconds in-case if value is provided less than " "60, parameter will assume lowest value only." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ad.5.xml:1393 msgid "" "The following example assumes that SSSD is correctly configured and example." "com is one of the domains in the <replaceable>[sssd]</replaceable> section. " "This example shows only the AD provider-specific options." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-ad.5.xml:1400 #, no-wrap msgid "" "[domain/EXAMPLE]\n" "id_provider = ad\n" "auth_provider = ad\n" "access_provider = ad\n" "chpass_provider = ad\n" "\n" "ad_server = dc1.example.com\n" "ad_hostname = client.example.com\n" "ad_domain = example.com\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-ad.5.xml:1420 #, no-wrap msgid "" "access_provider = ldap\n" "ldap_access_order = expire\n" "ldap_account_expire_policy = ad\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ad.5.xml:1416 msgid "" "The AD access control provider checks if the account is expired. It has the " "same effect as the following configuration of the LDAP provider: " "<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ad.5.xml:1426 msgid "" "However, unless the <quote>ad</quote> access control provider is explicitly " "configured, the default access provider is <quote>permit</quote>. Please " "note that if you configure an access provider other than <quote>ad</quote>, " "you need to set all the connection parameters (such as LDAP URIs and " "encryption details) manually." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ad.5.xml:1434 msgid "" "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " "attribute mapping (nisMap, nisObject, ...) is used, because these attributes " "are included in the default Active Directory schema." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 msgid "sssd-sudo" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sssd-sudo.5.xml:17 msgid "Configuring sudo with the SSSD back end" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:23 msgid "" "This manual page describes how to configure <citerefentry> " "<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " "to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " "<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-sudo.5.xml:36 msgid "Configuring sudo to cooperate with SSSD" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:38 msgid "" "To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " "the <emphasis>sudoers</emphasis> entry in <citerefentry> " "<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" "citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:47 msgid "" "For example, to configure sudo to first lookup rules in the standard " "<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry> file (which should contain rules that apply to " "local users) and then in SSSD, the nsswitch.conf file should contain the " "following line:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-sudo.5.xml:57 #, no-wrap msgid "sudoers: files sss\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:61 msgid "" "More information about configuring the sudoers search order from the " "nsswitch.conf file as well as information about the LDAP schema that is used " "to store sudo rules in the directory can be found in <citerefentry> " "<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" "citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:70 msgid "" "<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " "sudo rules, you also need to correctly set <citerefentry> " "<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" "citerefentry> to your NIS domain name (which equals to IPA domain name when " "using hostgroups)." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-sudo.5.xml:82 msgid "Configuring SSSD to fetch sudo rules" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:84 msgid "" "All configuration that is needed on SSSD side is to extend the list of " "<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " "<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " "search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " "option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:94 msgid "" "The following example shows how to configure SSSD to download sudo rules " "from an LDAP server." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-sudo.5.xml:99 #, no-wrap msgid "" "[sssd]\n" "config_file_version = 2\n" "services = nss, pam, sudo\n" "domains = EXAMPLE\n" "\n" "[domain/EXAMPLE]\n" "id_provider = ldap\n" "sudo_provider = ldap\n" "ldap_uri = ldap://example.com\n" "ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:98 msgid "" "<placeholder type=\"programlisting\" id=\"0\"/> <phrase " "condition=\"have_systemd\"> It's important to note that on platforms where " "systemd is supported there's no need to add the \"sudo\" provider to the " "list of services, as it became optional. However, sssd-sudo.socket must be " "enabled instead. </phrase>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:118 msgid "" "When SSSD is configured to use IPA as the ID provider, the sudo provider is " "automatically enabled. The sudo search base is configured to use the IPA " "native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " "sssd.conf, this value will be used instead. The compat tree (ou=sudoers," "$SUFFIX) is no longer required for IPA sudo functionality." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-sudo.5.xml:128 msgid "The SUDO rule caching mechanism" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:130 msgid "" "The biggest challenge, when developing sudo support in SSSD, was to ensure " "that running sudo with SSSD as the data source provides the same user " "experience and is as fast as sudo but keeps providing the most current set " "of rules as possible. To satisfy these requirements, SSSD uses three kinds " "of updates. They are referred to as full refresh, smart refresh and rules " "refresh." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:138 msgid "" "The <emphasis>smart refresh</emphasis> periodically downloads rules that are " "new or were modified after the last update. Its primary goal is to keep the " "database growing by fetching only small increments that do not generate " "large amounts of network traffic." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:144 msgid "" "The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " "in the cache and replaces them with all rules that are stored on the server. " "This is used to keep the cache consistent by removing every rule which was " "deleted from the server. However, full refresh may produce a lot of traffic " "and thus it should be run only occasionally depending on the size and " "stability of the sudo rules." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:152 msgid "" "The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " "more permission than defined. It is triggered each time the user runs sudo. " "Rules refresh will find all rules that apply to this user, check their " "expiration time and redownload them if expired. In the case that any of " "these rules are missing on the server, the SSSD will do an out of band full " "refresh because more rules (that apply to other users) may have been deleted." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:161 msgid "" "If enabled, SSSD will store only rules that can be applied to this machine. " "This means rules that contain one of the following values in " "<emphasis>sudoHost</emphasis> attribute:" msgstr "" #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> #: sssd-sudo.5.xml:168 msgid "keyword ALL" msgstr "" #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> #: sssd-sudo.5.xml:173 msgid "wildcard" msgstr "" #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> #: sssd-sudo.5.xml:178 msgid "netgroup (in the form \"+netgroup\")" msgstr "" #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> #: sssd-sudo.5.xml:183 msgid "hostname or fully qualified domain name of this machine" msgstr "" #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> #: sssd-sudo.5.xml:188 msgid "one of the IP addresses of this machine" msgstr "" #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> #: sssd-sudo.5.xml:193 msgid "one of the IP addresses of the network (in the form \"address/mask\")" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:199 msgid "" "There are many configuration options that can be used to adjust the " "behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" "citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-sudo.5.xml:213 msgid "Tuning the performance" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:215 msgid "" "SSSD uses different kinds of mechanisms with more or less complex LDAP " "filters to keep the cached sudo rules up to date. The default configuration " "is set to values that should satisfy most of our users, but the following " "paragraphs contain few tips on how to fine- tune the configuration to your " "requirements." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:222 msgid "" "1. <emphasis>Index LDAP attributes</emphasis>. Make sure that following LDAP " "attributes are indexed: objectClass, cn, entryUSN or modifyTimestamp." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:227 msgid "" "2. <emphasis>Set ldap_sudo_search_base</emphasis>. Set the search base to " "the container that holds the sudo rules to limit the scope of the lookup." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:232 msgid "" "3. <emphasis>Set full and smart refresh interval</emphasis>. If your sudo " "rules do not change often and you do not require quick update of cached " "rules on your clients, you may consider increasing the " "<emphasis>ldap_sudo_full_refresh_interval</emphasis> and " "<emphasis>ldap_sudo_smart_refresh_interval</emphasis>. You may also consider " "disabling the smart refresh by setting " "<emphasis>ldap_sudo_smart_refresh_interval = 0</emphasis>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:241 msgid "" "4. If you have large number of clients, you may consider increasing the " "value of <emphasis>ldap_sudo_random_offset</emphasis> to distribute the load " "on the server better." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssd.8.xml:10 sssd.8.xml:15 msgid "sssd" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sssd.8.xml:16 msgid "System Security Services Daemon" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> #: sssd.8.xml:21 msgid "" "<command>sssd</command> <arg choice='opt'> <replaceable>options</" "replaceable> </arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.8.xml:31 msgid "" "<command>SSSD</command> provides a set of daemons to manage access to remote " "directories and authentication mechanisms. It provides an NSS and PAM " "interface toward the system and a pluggable backend system to connect to " "multiple different account sources as well as D-Bus interface. It is also " "the basis to provide client auditing and policy services for projects like " "FreeIPA. It provides a more robust database to store local users as well as " "extended user data." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.8.xml:46 msgid "" "<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" "replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.8.xml:53 msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:57 msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:60 msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.8.xml:69 msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:73 msgid "" "<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:76 msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.8.xml:85 msgid "<option>--logger=</option><replaceable>value</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:89 msgid "Location where SSSD will send log messages." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:92 msgid "" "<emphasis>stderr</emphasis>: Redirect debug messages to standard error " "output." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:96 msgid "" "<emphasis>files</emphasis>: Redirect debug messages to the log files. By " "default, the log files are stored in <filename>/var/log/sssd</filename> and " "there are separate log files for every SSSD service and domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:102 msgid "" "<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:106 msgid "" "Default: not set (fall back to journald if available, otherwise to stderr)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.8.xml:113 msgid "<option>-D</option>,<option>--daemon</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:117 msgid "Become a daemon after starting up." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.8.xml:123 sss_seed.8.xml:136 msgid "<option>-i</option>,<option>--interactive</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:127 msgid "Run in the foreground, don't become a daemon." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.8.xml:133 msgid "<option>-c</option>,<option>--config</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:137 msgid "" "Specify a non-default config file. The default is <filename>/etc/sssd/sssd." "conf</filename>. For reference on the config file syntax and options, " "consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.8.xml:150 msgid "<option>-g</option>,<option>--genconf</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:154 msgid "" "Do not start the SSSD, but refresh the configuration database from the " "contents of <filename>/etc/sssd/sssd.conf</filename> and exit." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.8.xml:162 msgid "<option>-s</option>,<option>--genconf-section</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:166 msgid "" "Similar to <quote>--genconf</quote>, but only refresh a single section from " "the configuration file. This option is useful mainly to be called from " "systemd unit files to allow socket-activated responders to refresh their " "configuration without requiring the administrator to restart the whole SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.8.xml:178 msgid "<option>--version</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:182 msgid "Print version number and exit." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd.8.xml:190 msgid "Signals" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.8.xml:193 msgid "SIGTERM/SIGINT" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:196 msgid "" "Informs the SSSD to gracefully terminate all of its child processes and then " "shut down the monitor." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.8.xml:202 msgid "SIGHUP" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:205 msgid "" "Tells the SSSD to stop writing to its current debug file descriptors and to " "close and reopen them. This is meant to facilitate log rolling with programs " "like logrotate." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.8.xml:213 msgid "SIGUSR1" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:216 msgid "" "Tells the SSSD to simulate offline operation for the duration of the " "<quote>offline_timeout</quote> parameter. This is useful for testing. The " "signal can be sent to either the sssd process or any sssd_be process " "directly." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.8.xml:225 msgid "SIGUSR2" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:228 msgid "" "Tells the SSSD to go online immediately. This is useful for testing. The " "signal can be sent to either the sssd process or any sssd_be process " "directly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.8.xml:240 msgid "" "If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " "applications will not use the fast in-memory cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.8.xml:244 msgid "" "If the environment variable SSS_LOCKFREE is set to \"NO\", requests from " "multiple threads of a single application will be serialized." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 msgid "sss_obfuscate" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sss_obfuscate.8.xml:16 msgid "obfuscate a clear text password" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> #: sss_obfuscate.8.xml:21 msgid "" "<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" "replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" "replaceable></arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_obfuscate.8.xml:32 msgid "" "<command>sss_obfuscate</command> converts a given password into human-" "unreadable format and places it into appropriate domain section of the SSSD " "config file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_obfuscate.8.xml:37 msgid "" "The cleartext password is read from standard input or entered " "interactively. The obfuscated password is put into " "<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " "<quote>ldap_default_authtok_type</quote> parameter is set to " "<quote>obfuscated_password</quote>. Refer to <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" "citerefentry> for more details on these parameters." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_obfuscate.8.xml:49 msgid "" "Please note that obfuscating the password provides <emphasis>no real " "security benefit</emphasis> as it is still possible for an attacker to " "reverse-engineer the password back. Using better authentication mechanisms " "such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " "advised." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_obfuscate.8.xml:63 msgid "<option>-s</option>,<option>--stdin</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_obfuscate.8.xml:67 msgid "The password to obfuscate will be read from standard input." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 #: sss_ssh_knownhostsproxy.1.xml:78 msgid "" "<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" "replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_obfuscate.8.xml:79 msgid "" "The SSSD domain to use the password in. The default name is <quote>default</" "quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_obfuscate.8.xml:86 msgid "" "<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_obfuscate.8.xml:91 msgid "Read the config file specified by the positional parameter." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_obfuscate.8.xml:95 msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sss_override.8.xml:10 sss_override.8.xml:15 msgid "sss_override" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sss_override.8.xml:16 msgid "create local overrides of user and group attributes" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> #: sss_override.8.xml:21 msgid "" "<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" "replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" "arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_override.8.xml:32 msgid "" "<command>sss_override</command> enables to create a client-side view and " "allows to change selected values of specific user and groups. This change " "takes effect only on local machine." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_override.8.xml:37 msgid "" "Overrides data are stored in the SSSD cache. If the cache is deleted, all " "local overrides are lost. Please note that after the first override is " "created using any of the following <emphasis>user-add</emphasis>, " "<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " "<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " "take effect. <emphasis>sss_override</emphasis> prints message when a " "restart is required." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_override.8.xml:48 msgid "" "<emphasis>NOTE:</emphasis> The options provided in this man page only work " "with <quote>ldap</quote> and <quote>AD</quote> <quote> id_provider</quote>. " "IPA overrides can be managed centrally on the IPA server." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sss_override.8.xml:56 sssctl.8.xml:41 msgid "AVAILABLE COMMANDS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_override.8.xml:58 msgid "" "Argument <emphasis>NAME</emphasis> is the name of original object in all " "commands. It is not possible to override <emphasis>uid</emphasis> or " "<emphasis>gid</emphasis> to 0." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_override.8.xml:65 msgid "" "<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" "name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" "optional> <optional><option>-g,--gid</option> GID</optional> " "<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" "shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" "optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " "CERTIFICATE</optional>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:78 msgid "" "Override attributes of an user. Please be aware that calling this command " "will replace any previous override for the (NAMEd) user." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_override.8.xml:86 msgid "<option>user-del</option> <emphasis>NAME</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:91 msgid "" "Remove user overrides. However be aware that overridden attributes might be " "returned from memory cache. Please see SSSD option " "<emphasis>memcache_timeout</emphasis> for more details." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_override.8.xml:100 msgid "" "<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" "optional>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:105 msgid "" "List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " "is set, only users from the domain are listed." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_override.8.xml:113 msgid "<option>user-show</option> <emphasis>NAME</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:118 msgid "Show user overrides." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_override.8.xml:124 msgid "<option>user-import</option> <emphasis>FILE</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:129 msgid "" "Import user overrides from <emphasis>FILE</emphasis>. Data format is " "similar to standard passwd file. The format is:" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:134 msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:137 msgid "" "where original_name is original name of the user whose attributes should be " "overridden. The rest of fields correspond to new values. You can omit a " "value simply by leaving corresponding field empty." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:146 msgid "ckent:superman::::::" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:149 msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_override.8.xml:155 msgid "<option>user-export</option> <emphasis>FILE</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:160 msgid "" "Export all overridden attributes and store them in <emphasis>FILE</" "emphasis>. See <emphasis>user-import</emphasis> for data format." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_override.8.xml:168 msgid "" "<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" "name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" "optional>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:175 msgid "" "Override attributes of a group. Please be aware that calling this command " "will replace any previous override for the (NAMEd) group." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_override.8.xml:183 msgid "<option>group-del</option> <emphasis>NAME</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:188 msgid "" "Remove group overrides. However be aware that overridden attributes might be " "returned from memory cache. Please see SSSD option " "<emphasis>memcache_timeout</emphasis> for more details." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_override.8.xml:197 msgid "" "<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" "optional>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:202 msgid "" "List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " "parameter is set, only groups from the domain are listed." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_override.8.xml:210 msgid "<option>group-show</option> <emphasis>NAME</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:215 msgid "Show group overrides." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_override.8.xml:221 msgid "<option>group-import</option> <emphasis>FILE</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:226 msgid "" "Import group overrides from <emphasis>FILE</emphasis>. Data format is " "similar to standard group file. The format is:" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:231 msgid "original_name:name:gid" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:234 msgid "" "where original_name is original name of the group whose attributes should be " "overridden. The rest of fields correspond to new values. You can omit a " "value simply by leaving corresponding field empty." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:243 msgid "admins:administrators:" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:246 msgid "Domain Users:Users:501" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_override.8.xml:252 msgid "<option>group-export</option> <emphasis>FILE</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:257 msgid "" "Export all overridden attributes and store them in <emphasis>FILE</" "emphasis>. See <emphasis>group-import</emphasis> for data format." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sss_override.8.xml:267 sssctl.8.xml:50 msgid "COMMON OPTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_override.8.xml:269 sssctl.8.xml:52 msgid "Those options are available with all commands." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_override.8.xml:274 sssctl.8.xml:57 msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 msgid "sssd-krb5" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sssd-krb5.5.xml:17 msgid "SSSD Kerberos provider" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-krb5.5.xml:23 msgid "" "This manual page describes the configuration of the Kerberos 5 " "authentication backend for <citerefentry> <refentrytitle>sssd</" "refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " "syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " "the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-krb5.5.xml:36 msgid "" "The Kerberos 5 authentication backend contains auth and chpass providers. It " "must be paired with an identity provider in order to function properly (for " "example, id_provider = ldap). Some information required by the Kerberos 5 " "authentication backend must be provided by the identity provider, such as " "the user's Kerberos Principal Name (UPN). The configuration of the identity " "provider should have an entry to specify the UPN. Please refer to the man " "page for the applicable identity provider for details on how to configure " "this." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-krb5.5.xml:47 msgid "" "This backend also provides access control based on the .k5login file in the " "home directory of the user. See <citerefentry> <refentrytitle>k5login</" "refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " "Please note that an empty .k5login file will deny all access to this user. " "To activate this feature, use 'access_provider = krb5' in your SSSD " "configuration." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-krb5.5.xml:55 msgid "" "In the case where the UPN is not available in the identity backend, " "<command>sssd</command> will construct a UPN using the format " "<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:77 msgid "" "Specifies the comma-separated list of IP addresses or hostnames of the " "Kerberos servers to which SSSD should connect, in the order of preference. " "For more information on failover and server redundancy, see the " "<quote>FAILOVER</quote> section. An optional port number (preceded by a " "colon) may be appended to the addresses or hostnames. If empty, service " "discovery is enabled; for more information, refer to the <quote>SERVICE " "DISCOVERY</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:106 msgid "" "The name of the Kerberos realm. This option is required and must be " "specified." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:113 msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:116 msgid "" "If the change password service is not running on the KDC, alternative " "servers can be defined here. An optional port number (preceded by a colon) " "may be appended to the addresses or hostnames." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:122 msgid "" "For more information on failover and server redundancy, see the " "<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " "servers to try, the backend is not switched to operate offline if " "authentication against the KDC is still possible." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:129 msgid "Default: Use the KDC" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:135 msgid "krb5_ccachedir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:138 msgid "" "Directory to store credential caches. All the substitution sequences of " "krb5_ccname_template can be used here, too, except %d and %P. The directory " "is created as private and owned by the user, with permissions set to 0700." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:145 msgid "Default: /tmp" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:151 msgid "krb5_ccname_template (string)" msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:165 include/override_homedir.xml:11 msgid "%u" msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:166 include/override_homedir.xml:12 msgid "login name" msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:169 include/override_homedir.xml:15 msgid "%U" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:170 msgid "login UID" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:173 msgid "%p" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:174 msgid "principal name" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:178 msgid "%r" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:179 msgid "realm name" msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:182 include/override_homedir.xml:42 msgid "%h" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:183 sssd-ifp.5.xml:124 msgid "home directory" msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:187 include/override_homedir.xml:19 msgid "%d" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:188 msgid "value of krb5_ccachedir" msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:193 include/override_homedir.xml:31 msgid "%P" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:194 msgid "the process ID of the SSSD client" msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:199 include/override_homedir.xml:56 msgid "%%" msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:200 include/override_homedir.xml:57 msgid "a literal '%'" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:154 msgid "" "Location of the user's credential cache. Three credential cache types are " "currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " "<quote>KEYRING:persistent</quote>. The cache can be specified either as " "<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " "implies the <quote>FILE</quote> type. In the template, the following " "sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " "the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " "filename in a safe way." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:208 msgid "" "When using KEYRING types, the only supported mechanism is <quote>KEYRING:" "persistent:%U</quote>, which uses the Linux kernel keyring to store " "credentials on a per-UID basis. This is also the recommended choice, as it " "is the most secure and predictable method." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:216 msgid "" "The default value for the credential cache name is sourced from the profile " "stored in the system wide krb5.conf configuration file in the [libdefaults] " "section. The option name is default_ccache_name. See krb5.conf(5)'s " "PARAMETER EXPANSION paragraph for additional information on the expansion " "format defined by krb5.conf." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:225 msgid "" "NOTE: Please be aware that libkrb5 ccache expansion template from " "<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry> uses different expansion sequences than SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:234 msgid "Default: (from libkrb5)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:240 msgid "krb5_keytab (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:243 msgid "" "The location of the keytab to use when validating credentials obtained from " "KDCs." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:253 msgid "krb5_store_password_if_offline (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:256 msgid "" "Store the password of the user if the provider is offline and use it to " "request a TGT when the provider comes online again." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:261 msgid "" "NOTE: this feature is only available on Linux. Passwords stored in this way " "are kept in plaintext in the kernel keyring and are potentially accessible " "by the root user (with difficulty)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:274 msgid "krb5_use_fast (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:277 msgid "" "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" "authentication. The following options are supported:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:282 msgid "" "<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " "option at all." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:286 msgid "" "<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " "continue the authentication without it." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:291 msgid "" "<emphasis>demand</emphasis> to use FAST. The authentication fails if the " "server does not require fast." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:296 msgid "Default: not set, i.e. FAST is not used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:299 msgid "NOTE: a keytab or support for anonymous PKINIT is required to use FAST." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:303 msgid "" "NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " "SSSD is used with an older version of MIT Kerberos, using this option is a " "configuration error." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:312 msgid "krb5_fast_principal (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:315 msgid "Specifies the server principal to use for FAST." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:321 msgid "krb5_fast_use_anonymous_pkinit (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:324 msgid "" "If set to true try to use anonymous PKINIT instead of a keytab to get the " "required credential for FAST. The krb5_fast_principal options is ignored in " "this case." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:364 msgid "krb5_kdcinfo_lookahead (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:367 msgid "" "When krb5_use_kdcinfo is set to true, you can limit the amount of servers " "handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" "refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. This might be " "helpful when there are too many servers discovered using SRV record." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:377 msgid "" "The krb5_kdcinfo_lookahead option contains two numbers separated by a colon. " "The first number represents number of primary servers used and the second " "number specifies the number of backup servers." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:383 msgid "" "For example <emphasis>10:0</emphasis> means that up to 10 primary servers " "will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> but no backup " "servers." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:392 msgid "Default: 3:1" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:398 msgid "krb5_use_enterprise_principal (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:401 msgid "" "Specifies if the user principal should be treated as enterprise principal. " "See section 5 of RFC 6806 for more details about enterprise principals." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:407 msgid "Default: false (AD provider: true)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:410 msgid "" "The IPA provider will set to option to 'true' if it detects that the server " "is capable of handling enterprise principals and the option is not set " "explicitly in the config file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:419 msgid "krb5_use_subdomain_realm (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:422 msgid "" "Specifies to use subdomains realms for the authentication of users from " "trusted domains. This option can be set to 'true' if enterprise principals " "are used with upnSuffixes which are not known on the parent domain KDCs. If " "the option is set to 'true' SSSD will try to send the request directly to a " "KDC of the trusted domain the user is coming from." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:438 msgid "krb5_map_user (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:441 msgid "" "The list of mappings is given as a comma-separated list of pairs " "<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " "name and <quote>primary</quote> is a user part of a kerberos principal. This " "mapping is used when user is authenticating using <quote>auth_provider = " "krb5</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> #: sssd-krb5.5.xml:453 #, no-wrap msgid "" "krb5_realm = REALM\n" "krb5_map_user = joe:juser,dick:richard\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:458 msgid "" "<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " "<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " "principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " "try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" "quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-krb5.5.xml:65 msgid "" "If the auth-module krb5 is used in an SSSD domain, the following options " "must be used. See the <citerefentry> <refentrytitle>sssd.conf</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " "<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " "domain. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-krb5.5.xml:485 msgid "" "The following example assumes that SSSD is correctly configured and FOO is " "one of the domains in the <replaceable>[sssd]</replaceable> section. This " "example shows only configuration of Kerberos authentication; it does not " "include any identity provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-krb5.5.xml:493 #, no-wrap msgid "" "[domain/FOO]\n" "auth_provider = krb5\n" "krb5_server = 192.168.1.1\n" "krb5_realm = EXAMPLE.COM\n" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sss_cache.8.xml:10 sss_cache.8.xml:15 msgid "sss_cache" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sss_cache.8.xml:16 msgid "perform cache cleanup" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> #: sss_cache.8.xml:21 msgid "" "<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" "replaceable> </arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_cache.8.xml:31 msgid "" "<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " "records are forced to be reloaded from server as soon as related SSSD " "backend is online. Options that invalidate a single object only accept a " "single provided argument." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_cache.8.xml:43 msgid "<option>-E</option>,<option>--everything</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_cache.8.xml:47 msgid "Invalidate all cached entries." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_cache.8.xml:53 msgid "" "<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_cache.8.xml:58 msgid "Invalidate specific user." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_cache.8.xml:64 msgid "<option>-U</option>,<option>--users</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_cache.8.xml:68 msgid "" "Invalidate all user records. This option overrides invalidation of specific " "user if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_cache.8.xml:75 msgid "" "<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_cache.8.xml:80 msgid "Invalidate specific group." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_cache.8.xml:86 msgid "<option>-G</option>,<option>--groups</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_cache.8.xml:90 msgid "" "Invalidate all group records. This option overrides invalidation of specific " "group if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_cache.8.xml:97 msgid "" "<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" "replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_cache.8.xml:102 msgid "Invalidate specific netgroup." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_cache.8.xml:108 msgid "<option>-N</option>,<option>--netgroups</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_cache.8.xml:112 msgid "" "Invalidate all netgroup records. This option overrides invalidation of " "specific netgroup if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_cache.8.xml:119 msgid "" "<option>-s</option>,<option>--service</option> <replaceable>service</" "replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_cache.8.xml:124 msgid "Invalidate specific service." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_cache.8.xml:130 msgid "<option>-S</option>,<option>--services</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_cache.8.xml:134 msgid "" "Invalidate all service records. This option overrides invalidation of " "specific service if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_cache.8.xml:141 msgid "" "<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" "replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_cache.8.xml:146 msgid "Invalidate specific autofs maps." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_cache.8.xml:152 msgid "<option>-A</option>,<option>--autofs-maps</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_cache.8.xml:156 msgid "" "Invalidate all autofs maps. This option overrides invalidation of specific " "map if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_cache.8.xml:163 msgid "" "<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" "replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_cache.8.xml:168 msgid "Invalidate SSH public keys of a specific host." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_cache.8.xml:174 msgid "<option>-H</option>,<option>--ssh-hosts</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_cache.8.xml:178 msgid "" "Invalidate SSH public keys of all hosts. This option overrides invalidation " "of SSH public keys of specific host if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_cache.8.xml:186 msgid "" "<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" "replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_cache.8.xml:191 msgid "Invalidate particular sudo rule." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_cache.8.xml:197 msgid "<option>-R</option>,<option>--sudo-rules</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_cache.8.xml:201 msgid "" "Invalidate all cached sudo rules. This option overrides invalidation of " "specific sudo rule if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_cache.8.xml:209 msgid "" "<option>-d</option>,<option>--domain</option> <replaceable>domain</" "replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_cache.8.xml:214 msgid "Restrict invalidation process only to a particular domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sss_cache.8.xml:224 msgid "EFFECTS ON THE FAST MEMORY CACHE" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_cache.8.xml:226 msgid "" "<command>sss_cache</command> also invalidates the memory cache. Since the " "memory cache is a file which is mapped into the memory of each process which " "called SSSD to resolve users or groups the file cannot be truncated. A " "special flag is set in the header of the file to indicate that the content " "is invalid and then the file is unlinked by SSSD's NSS responder and a new " "cache file is created. Whenever a process is now doing a new lookup for a " "user or a group it will see the flag, close the old memory cache file and " "map the new one into its memory. When all processes which had opened the old " "memory cache file have closed it while looking up a user or a group the " "kernel can release the occupied disk space and the old memory cache file is " "finally removed completely." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_cache.8.xml:240 msgid "" "A special case is long running processes which are doing user or group " "lookups only at startup, e.g. to determine the name of the user the process " "is running as. For those lookups the memory cache file is mapped into the " "memory of the process. But since there will be no further lookups this " "process would never detect if the memory cache file was invalidated and " "hence it will be kept in memory and will occupy disk space until the process " "stops. As a result calling <command>sss_cache</command> might increase the " "disk usage because old memory cache files cannot be removed from the disk " "because they are still mapped by long running processes." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_cache.8.xml:252 msgid "" "A possible work-around for long running processes which are looking up users " "and groups only at startup or very rarely is to run them with the " "environment variable SSS_NSS_USE_MEMCACHE set to \"NO\" so that they won't " "use the memory cache at all and not map the memory cache file into the " "memory. In general a better solution is to tune the cache timeout parameters " "so that they meet the local expectations and calling <command>sss_cache</" "command> is not needed." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 msgid "sss_debuglevel" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sss_debuglevel.8.xml:16 msgid "[DEPRECATED] change debug level while SSSD is running" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> #: sss_debuglevel.8.xml:21 msgid "" "<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" "replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" "replaceable></arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_debuglevel.8.xml:32 msgid "" "<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " "debug-level command. Please refer to the <command>sssctl</command> man page " "for more information on sssctl usage." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sss_seed.8.xml:10 sss_seed.8.xml:15 msgid "sss_seed" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sss_seed.8.xml:16 msgid "seed the SSSD cache with a user" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> #: sss_seed.8.xml:21 msgid "" "<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" "replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" "replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" "arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_seed.8.xml:33 msgid "" "<command>sss_seed</command> seeds the SSSD cache with a user entry and " "temporary password. If a user entry is already present in the SSSD cache " "then the entry is updated with the temporary password." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_seed.8.xml:46 msgid "" "<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" "replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_seed.8.xml:51 msgid "" "Provide the name of the domain in which the user is a member of. The domain " "is also used to retrieve user information. The domain must be configured in " "sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " "Information retrieved from the domain overrides what is provided in the " "options." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_seed.8.xml:63 msgid "" "<option>-n</option>,<option>--username</option> <replaceable>USER</" "replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_seed.8.xml:68 msgid "" "The username of the entry to be created or modified in the cache. The " "<replaceable>USER</replaceable> option must be provided." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_seed.8.xml:76 msgid "" "<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_seed.8.xml:81 msgid "Set the UID of the user to <replaceable>UID</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_seed.8.xml:88 msgid "" "<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_seed.8.xml:93 msgid "Set the GID of the user to <replaceable>GID</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_seed.8.xml:100 msgid "" "<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" "replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_seed.8.xml:105 msgid "" "Any text string describing the user. Often used as the field for the user's " "full name." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_seed.8.xml:112 msgid "" "<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" "replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_seed.8.xml:117 msgid "" "Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_seed.8.xml:124 msgid "" "<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_seed.8.xml:129 msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_seed.8.xml:140 msgid "" "Interactive mode for entering user information. This option will only prompt " "for information not provided in the options or retrieved from the domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_seed.8.xml:148 msgid "" "<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" "replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_seed.8.xml:153 msgid "" "Specify file to read user's password from. (if not specified password is " "prompted for)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_seed.8.xml:165 msgid "" "The length of the password (or the size of file specified with -p or --" "password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " "on systems with no globally-defined PASS_MAX value)." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 msgid "sssd-ifp" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sssd-ifp.5.xml:17 msgid "SSSD InfoPipe responder" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ifp.5.xml:23 msgid "" "This manual page describes the configuration of the InfoPipe responder for " "<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " "</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " "FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ifp.5.xml:36 msgid "" "The InfoPipe responder provides a public D-Bus interface accessible over the " "system bus. The interface allows the user to query information about remote " "users and groups over the system bus." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd-ifp.5.xml:43 msgid "FIND BY VALID CERTIFICATE" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd-ifp.5.xml:45 msgid "" "The following options can be used to control how the certificates are " "validated when using the FindByValidCertificate() API:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> #: sssd-ifp.5.xml:48 sss_ssh_authorizedkeys.1.xml:92 msgid "ca_db" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> #: sssd-ifp.5.xml:49 sss_ssh_authorizedkeys.1.xml:93 msgid "p11_child_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> #: sssd-ifp.5.xml:50 sss_ssh_authorizedkeys.1.xml:94 msgid "certificate_verification" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd-ifp.5.xml:52 msgid "" "For more details about the options see <citerefentry><refentrytitle>sssd." "conf</refentrytitle> <manvolnum>5</manvolnum></citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ifp.5.xml:62 msgid "These options can be used to configure the InfoPipe responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-ifp.5.xml:69 msgid "" "Specifies the comma-separated list of UID values or user names that are " "allowed to access the InfoPipe responder. User names are resolved to UIDs at " "startup." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-ifp.5.xml:75 msgid "" "Default: 0 (only the root user is allowed to access the InfoPipe responder)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-ifp.5.xml:79 msgid "" "Please note that although the UID 0 is used as the default it will be " "overwritten with this option. If you still want to allow the root user to " "access the InfoPipe responder, which would be the typical case, you have to " "add 0 to the list of allowed UIDs as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-ifp.5.xml:93 msgid "Specifies the comma-separated list of white or blacklisted attributes." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd-ifp.5.xml:107 msgid "name" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd-ifp.5.xml:108 msgid "user's login name" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd-ifp.5.xml:111 msgid "uidNumber" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd-ifp.5.xml:112 msgid "user ID" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd-ifp.5.xml:115 msgid "gidNumber" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd-ifp.5.xml:116 msgid "primary group ID" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd-ifp.5.xml:119 msgid "gecos" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd-ifp.5.xml:120 msgid "user information, typically full name" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd-ifp.5.xml:123 msgid "homeDirectory" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd-ifp.5.xml:127 msgid "loginShell" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd-ifp.5.xml:128 msgid "user shell" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-ifp.5.xml:97 msgid "" "By default, the InfoPipe responder only allows the default set of POSIX " "attributes to be requested. This set is the same as returned by " "<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" "manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " "id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> #: sssd-ifp.5.xml:141 #, no-wrap msgid "" "user_attributes = +telephoneNumber, -loginShell\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-ifp.5.xml:133 msgid "" "It is possible to add another attribute to this set by using " "<quote>+attr_name</quote> or explicitly remove an attribute using <quote>-" "attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " "deny <quote>loginShell</quote>, you would use the following configuration: " "<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-ifp.5.xml:145 msgid "Default: not set. Only the default set of POSIX attributes is allowed." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-ifp.5.xml:155 msgid "" "Specifies an upper limit on the number of entries that are downloaded during " "a wildcard lookup that overrides caller-supplied limit." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-ifp.5.xml:160 msgid "Default: 0 (let the caller set an upper limit)" msgstr "" #. type: Content of: <reference><refentry><refentryinfo> #: sss_rpcidmapd.5.xml:8 msgid "" "<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" "firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " "Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" "author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " "<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" "author>" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 msgid "sss_rpcidmapd" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sss_rpcidmapd.5.xml:33 msgid "sss plugin configuration directives for rpc.idmapd" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sss_rpcidmapd.5.xml:37 msgid "CONFIGURATION FILE" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_rpcidmapd.5.xml:39 msgid "" "rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." "conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sss_rpcidmapd.5.xml:49 msgid "SSS CONFIGURATION EXTENSION" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sss_rpcidmapd.5.xml:51 msgid "Enable SSS plugin" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss_rpcidmapd.5.xml:53 msgid "" "In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " "attribute to contain <emphasis>sss</emphasis>." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sss_rpcidmapd.5.xml:59 msgid "[sss] config section" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss_rpcidmapd.5.xml:61 msgid "" "In order to change the default of one of the configuration attributes of the " "<emphasis>sss</emphasis> plugin listed below you will need to create a " "config section for it, named <quote>[sss]</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> #: sss_rpcidmapd.5.xml:67 msgid "Configuration attributes" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sss_rpcidmapd.5.xml:69 msgid "memcache (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sss_rpcidmapd.5.xml:72 msgid "Indicates whether or not to use memcache optimisation technique." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sss_rpcidmapd.5.xml:85 msgid "SSSD INTEGRATION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_rpcidmapd.5.xml:87 msgid "" "The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " "in sssd." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_rpcidmapd.5.xml:91 msgid "" "The attribute <quote>use_fully_qualified_names</quote> must be enabled on " "all domains (NFSv4 clients expect a fully qualified name to be sent on the " "wire)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sss_rpcidmapd.5.xml:103 #, no-wrap msgid "" "[General]\n" "Verbosity = 2\n" "# domain must be synced between NFSv4 server and clients\n" "# Solaris/Illumos/AIX use \"localdomain\" as default!\n" "Domain = default\n" "\n" "[Mapping]\n" "Nobody-User = nfsnobody\n" "Nobody-Group = nfsnobody\n" "\n" "[Translation]\n" "Method = sss\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_rpcidmapd.5.xml:100 msgid "" "The following example shows a minimal idmapd.conf which makes use of the sss " "plugin. <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <refsect1><title> #: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:316 include/seealso.xml:2 msgid "SEE ALSO" msgstr "VIZ TAKÉ" #. type: Content of: <reference><refentry><refsect1><para> #: sss_rpcidmapd.5.xml:122 msgid "" "<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" "citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry>" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 msgid "sss_ssh_authorizedkeys" msgstr "" #. type: Content of: <reference><refentry><refmeta><manvolnum> #: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 msgid "1" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sss_ssh_authorizedkeys.1.xml:16 msgid "get OpenSSH authorized keys" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> #: sss_ssh_authorizedkeys.1.xml:21 msgid "" "<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " "<replaceable>options</replaceable> </arg> <arg " "choice='plain'><replaceable>USER</replaceable></arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_ssh_authorizedkeys.1.xml:32 msgid "" "<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " "<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " "format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " "<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" "citerefentry> for more information)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_ssh_authorizedkeys.1.xml:41 msgid "" "<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" "citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" "command> for public key user authentication if it is compiled with support " "for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " "<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" "manvolnum></citerefentry> man page for more details about this option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sss_ssh_authorizedkeys.1.xml:59 #, no-wrap msgid "" " AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" " AuthorizedKeysCommandUser nobody\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_ssh_authorizedkeys.1.xml:52 msgid "" "If <quote>AuthorizedKeysCommand</quote> is supported, " "<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" "citerefentry> can be configured to use it by putting the following " "directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " "<manvolnum>5</manvolnum></citerefentry>: <placeholder " "type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sss_ssh_authorizedkeys.1.xml:65 msgid "KEYS FROM CERTIFICATES" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss_ssh_authorizedkeys.1.xml:67 msgid "" "In addition to the public SSH keys for user <replaceable>USER</replaceable> " "<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " "from the public key of a X.509 certificate as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss_ssh_authorizedkeys.1.xml:73 msgid "" "To enable this the <quote>ssh_use_certificate_keys</quote> option must be " "set to true (default) in the [ssh] section of <filename>sssd.conf</" "filename>. If the user entry contains certificates (see " "<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" "ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " "there is a certificate in an override entry for the user (see " "<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" "manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" "refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " "certificate is valid SSSD will extract the public key from the certificate " "and convert it into the format expected by sshd." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss_ssh_authorizedkeys.1.xml:90 msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss_ssh_authorizedkeys.1.xml:96 msgid "" "can be used to control how the certificates are validated (see " "<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" "manvolnum></citerefentry> for details)." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss_ssh_authorizedkeys.1.xml:101 msgid "" "The validation is the benefit of using X.509 certificates instead of SSH " "keys directly because e.g. it gives a better control of the lifetime of the " "keys. When the ssh client is configured to use the private keys from a " "Smartcard with the help of a PKCS#11 shared library (see " "<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" "citerefentry> for details) it might be irritating that authentication is " "still working even if the related X.509 certificate on the Smartcard is " "already expired because neither <command>ssh</command> nor <command>sshd</" "command> will look at the certificate at all." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss_ssh_authorizedkeys.1.xml:114 msgid "" "It has to be noted that the derived public SSH key can still be added to the " "<filename>authorized_keys</filename> file of the user to bypass the " "certificate validation if the <command>sshd</command> configuration permits " "this." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_ssh_authorizedkeys.1.xml:132 msgid "" "Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 msgid "EXIT STATUS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 msgid "" "In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 msgid "sss_ssh_knownhostsproxy" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sss_ssh_knownhostsproxy.1.xml:16 msgid "get OpenSSH host keys" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> #: sss_ssh_knownhostsproxy.1.xml:21 msgid "" "<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " "<replaceable>options</replaceable> </arg> <arg " "choice='plain'><replaceable>HOST</replaceable></arg> <arg " "choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_ssh_knownhostsproxy.1.xml:33 msgid "" "<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " "host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " "known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " "of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" "manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" "pubconf/known_hosts</filename> and establishes the connection to the host." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_ssh_knownhostsproxy.1.xml:43 msgid "" "If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " "create the connection to the host instead of opening a socket." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sss_ssh_knownhostsproxy.1.xml:55 #, no-wrap msgid "" "ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" "GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_ssh_knownhostsproxy.1.xml:48 msgid "" "<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" "citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" "command> for host key authentication by using the following directives for " "<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" "citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_ssh_knownhostsproxy.1.xml:66 msgid "" "<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_ssh_knownhostsproxy.1.xml:71 msgid "" "Use port <replaceable>PORT</replaceable> to connect to the host. By " "default, port 22 is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_ssh_knownhostsproxy.1.xml:83 msgid "" "Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_ssh_knownhostsproxy.1.xml:89 msgid "<option>-k</option>,<option>--pubkey</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_ssh_knownhostsproxy.1.xml:93 msgid "" "Print the host ssh public keys for host <replaceable>HOST</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: idmap_sss.8.xml:10 idmap_sss.8.xml:15 msgid "idmap_sss" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: idmap_sss.8.xml:16 msgid "SSSD's idmap_sss Backend for Winbind" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: idmap_sss.8.xml:22 msgid "" "The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " "No database is required in this case as the mapping is done by SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: idmap_sss.8.xml:29 msgid "IDMAP OPTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: idmap_sss.8.xml:33 msgid "range = low - high" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: idmap_sss.8.xml:35 msgid "" "Defines the available matching UID and GID range for which the backend is " "authoritative." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: idmap_sss.8.xml:45 msgid "" "This example shows how to configure idmap_sss as the default mapping module." msgstr "" #. type: Content of: <reference><refentry><refsect1><programlisting> #: idmap_sss.8.xml:50 #, no-wrap msgid "" "[global]\n" "security = ads\n" "workgroup = <AD-DOMAIN-SHORTNAME>\n" "\n" "idmap config <AD-DOMAIN-SHORTNAME> : backend = sss\n" "idmap config <AD-DOMAIN-SHORTNAME> : range = 200000-2147483647\n" "\n" "idmap config * : backend = tdb\n" "idmap config * : range = 100000-199999\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: idmap_sss.8.xml:62 msgid "" "Please replace <AD-DOMAIN-SHORTNAME> with the NetBIOS domain name of " "the AD domain. If multiple AD domains should be used each domain needs an " "<literal>idmap config</literal> line with <literal>backend = sss</literal> " "and a line with a suitable <literal>range</literal>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: idmap_sss.8.xml:69 msgid "" "Since Winbind requires a writeable default backend and idmap_sss is read-" "only the example includes <literal>backend = tdb</literal> as default." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssctl.8.xml:10 sssctl.8.xml:15 msgid "sssctl" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sssctl.8.xml:16 msgid "SSSD control and status utility" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> #: sssctl.8.xml:21 msgid "" "<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" "replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" "arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssctl.8.xml:32 msgid "" "<command>sssctl</command> provides a simple and unified way to obtain " "information about SSSD status, such as active server, auto-discovered " "servers, domains and cached objects. In addition, it can manage SSSD data " "files for troubleshooting in such a way that is safe to manipulate while " "SSSD is running." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssctl.8.xml:43 msgid "" "To list all available commands run <command>sssctl</command> without any " "parameters. To print help for selected command run <command>sssctl COMMAND --" "help</command>." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssd-files.5.xml:10 sssd-files.5.xml:16 msgid "sssd-files" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sssd-files.5.xml:17 msgid "SSSD files provider" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-files.5.xml:23 msgid "" "This manual page describes the files provider for <citerefentry> " "<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" "citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " "FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-files.5.xml:36 msgid "" "The files provider mirrors the content of the <citerefentry> " "<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" "citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " "provider is to make the users and groups traditionally only accessible with " "NSS interfaces also available through the SSSD interfaces such as " "<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-files.5.xml:55 msgid "" "Another reason is to provide efficient caching of local users and groups." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-files.5.xml:58 msgid "" "Please note that besides explicit domain definition the files provider can " "be configured also implicitly using 'enable_files_domain' option. See " "<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry> for details." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-files.5.xml:66 msgid "" "SSSD never handles resolution of user/group \"root\". Also resolution of UID/" "GID 0 is not handled by SSSD. Such requests are passed to next NSS module " "(usually files)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-files.5.xml:71 msgid "" "When SSSD is not running or responding, nss_sss returns the UNAVAIL code " "which causes the request to be passed to the next module." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-files.5.xml:95 msgid "passwd_files (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-files.5.xml:98 msgid "" "Comma-separated list of one or multiple password filenames to be read and " "enumerated by the files provider, inotify monitor watches will be set on " "each file to detect changes dynamically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-files.5.xml:104 msgid "Default: /etc/passwd" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-files.5.xml:110 msgid "group_files (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-files.5.xml:113 msgid "" "Comma-separated list of one or multiple group filenames to be read and " "enumerated by the files provider, inotify monitor watches will be set on " "each file to detect changes dynamically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-files.5.xml:119 msgid "Default: /etc/group" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-files.5.xml:125 msgid "fallback_to_nss (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-files.5.xml:128 msgid "" "While updating the internal data SSSD will return an error and let the " "client continue with the next NSS module. This helps to avoid delays when " "using the default system files <filename>/etc/passwd</filename> and " "<filename>/etc/group</filename> and the NSS configuration has 'sss' before " "'files' for the 'passwd' and 'group' maps." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-files.5.xml:138 msgid "" "If the files provider is configured to monitor other files it makes sense to " "set this option to 'False' to avoid inconsistent behavior because in general " "there would be no other NSS module which can be used as a fallback." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-files.5.xml:79 msgid "" "In addition to the options listed below, generic SSSD domain options can be " "set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " "of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry> manual page for details on the configuration of " "an SSSD domain. But the purpose of the files provider is to expose the same " "data as the UNIX files, just through the SSSD interfaces. Therefore not all " "generic domain options are supported. Likewise, some global options, such as " "overriding the shell in the <quote>nss</quote> section for all domains has " "no effect on the files domain unless explicitly specified per-domain. " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-files.5.xml:157 msgid "" "The following example assumes that SSSD is correctly configured and files is " "one of the domains in the <replaceable>[sssd]</replaceable> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-files.5.xml:163 #, no-wrap msgid "" "[domain/files]\n" "id_provider = files\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-files.5.xml:168 msgid "" "To leverage caching of local users and groups by SSSD nss_sss module must be " "listed before nss_files module in /etc/nsswitch.conf." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-files.5.xml:174 #, no-wrap msgid "" "passwd: sss files\n" "group: sss files\n" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 msgid "sssd-session-recording" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sssd-session-recording.5.xml:17 msgid "Configuring session recording with SSSD" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-session-recording.5.xml:23 msgid "" "This manual page describes how to configure <citerefentry> " "<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " "to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " "<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " "implement user session recording on text terminals. For a detailed " "configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " "section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-session-recording.5.xml:41 msgid "" "SSSD can be set up to enable recording of everything specific users see or " "type during their sessions on text terminals. E.g. when users log in on the " "console, or via SSH. SSSD itself doesn't record anything, but makes sure " "tlog-rec-session is started upon user login, so it can record according to " "its configuration." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-session-recording.5.xml:48 msgid "" "For users with session recording enabled, SSSD replaces the user shell with " "tlog-rec-session in NSS responses, and adds a variable specifying the " "original shell to the user environment, upon PAM session setup. This way " "tlog-rec-session can be started in place of the user shell, and know which " "actual shell to start, once it set up the recording." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-session-recording.5.xml:60 msgid "These options can be used to configure the session recording." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-session-recording.5.xml:178 msgid "" "The following snippet of sssd.conf enables session recording for users " "\"contractor1\" and \"contractor2\", and group \"students\"." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-session-recording.5.xml:183 #, no-wrap msgid "" "[session_recording]\n" "scope = some\n" "users = contractor1, contractor2\n" "groups = students\n" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 msgid "sssd-kcm" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sssd-kcm.8.xml:17 msgid "SSSD Kerberos Cache Manager" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:23 msgid "" "This manual page describes the configuration of the SSSD Kerberos Cache " "Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " "credential caches. It originates in the Heimdal Kerberos project, although " "the MIT Kerberos library also provides client side (more details on that " "below) support for the KCM credential cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:31 msgid "" "In a setup where Kerberos caches are managed by KCM, the Kerberos library " "(typically used through an application, like e.g., <citerefentry> " "<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" "citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " "being referred to as a <quote>\"KCM server\"</quote>. The client and server " "communicate over a UNIX socket." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:42 msgid "" "The KCM server keeps track of each credential caches's owner and performs " "access check control based on the UID and GID of the KCM client. The root " "user has access to all credential caches." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:47 msgid "The KCM credential cache has several interesting properties:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd-kcm.8.xml:51 msgid "" "since the process runs in userspace, it is subject to UID namespacing, " "unlike the kernel keyring" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd-kcm.8.xml:56 msgid "" "unlike the kernel keyring-based cache, which is shared between all " "containers, the KCM server is a separate process whose entry point is a UNIX " "socket" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd-kcm.8.xml:61 msgid "" "the SSSD implementation stores the ccaches in a database, typically located " "at <replaceable>/var/lib/sss/secrets</replaceable> allowing the ccaches to " "survive KCM server restarts or machine reboots." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:67 msgid "" "This allows the system to use a collection-aware credential cache, yet share " "the credential cache between some or no containers by bind-mounting the " "socket." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:72 msgid "" "The KCM default client idle timeout is 5 minutes, this allows more time for " "user interaction with command line tools such as kinit." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-kcm.8.xml:78 msgid "USING THE KCM CREDENTIAL CACHE" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-kcm.8.xml:88 #, no-wrap msgid "" "[libdefaults]\n" " default_ccache_name = KCM:\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:80 msgid "" "In order to use KCM credential cache, it must be selected as the default " "credential type in <citerefentry> <refentrytitle>krb5.conf</" "refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " "cache name must be only <quote>KCM:</quote> without any template " "expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:93 msgid "" "Next, make sure the Kerberos client libraries and the KCM server must agree " "on the UNIX socket path. By default, both use the same path <replaceable>/" "var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " "library, change its <quote>kcm_socket</quote> option which is described in " "the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" "manvolnum> </citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-kcm.8.xml:115 #, no-wrap msgid "" "systemctl start sssd-kcm.socket\n" "systemctl enable sssd-kcm.socket\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:104 msgid "" "Finally, make sure the SSSD KCM server can be contacted. The KCM service is " "typically socket-activated by <citerefentry> <refentrytitle>systemd</" "refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " "services, it cannot be started by adding the <quote>kcm</quote> string to " "the <quote>service</quote> directive. <placeholder type=\"programlisting\" " "id=\"0\"/> Please note your distribution may already configure the units for " "you." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-kcm.8.xml:124 msgid "THE CREDENTIAL CACHE STORAGE" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:126 msgid "" "The credential caches are stored in a database, much like SSSD caches user " "or group entries. The database is typically located at <quote>/var/lib/sss/" "secrets</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-kcm.8.xml:133 msgid "OBTAINING DEBUG LOGS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-kcm.8.xml:144 #, no-wrap msgid "" "[kcm]\n" "debug_level = 10\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-kcm.8.xml:149 sssd-kcm.8.xml:211 #, no-wrap msgid "" "systemctl restart sssd-kcm.service\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:135 msgid "" "The sssd-kcm service is typically socket-activated <citerefentry> " "<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" "citerefentry>. To generate debug logs, add the following either to the " "<filename>/etc/sssd/sssd.conf</filename> file directly or as a configuration " "snippet to <filename>/etc/sssd/conf.d/</filename> directory: <placeholder " "type=\"programlisting\" id=\"0\"/> Then, restart the sssd-kcm service: " "<placeholder type=\"programlisting\" id=\"1\"/> Finally, run whatever use-" "case doesn't work for you. The KCM logs will be generated at <filename>/var/" "log/sssd/sssd_kcm.log</filename>. It is recommended to disable the debug " "logs when you no longer need the debugging to be enabled as the sssd-kcm " "service can generate quite a large amount of debugging information." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:159 msgid "" "Please note that configuration snippets are, at the moment, only processed " "if the main configuration file at <filename>/etc/sssd/sssd.conf</filename> " "exists at all." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-kcm.8.xml:166 msgid "RENEWALS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-kcm.8.xml:174 #, no-wrap msgid "" "tgt_renewal = true\n" "krb5_renew_interval = 60m\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:168 msgid "" "The sssd-kcm service can be configured to attempt TGT renewal for renewable " "TGTs stored in the KCM ccache. Renewals are only attempted when half of the " "ticket lifetime has been reached. KCM Renewals are configured when the " "following options are set in the [kcm] section: <placeholder " "type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:179 msgid "" "SSSD can also inherit krb5 options for renewals from an existing domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><programlisting> #: sssd-kcm.8.xml:183 #, no-wrap msgid "" "tgt_renewal = true\n" "tgt_renewal_inherit = domain-name\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-kcm.8.xml:191 #, no-wrap msgid "" "krb5_renew_interval\n" "krb5_renewable_lifetime\n" "krb5_lifetime\n" "krb5_validate\n" "krb5_canonicalize\n" "krb5_auth_timeout\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:187 msgid "" "The following krb5 options can be configured in the [kcm] section to control " "renewal behavior, these options are described in detail below <placeholder " "type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:204 msgid "" "The KCM service is configured in the <quote>kcm</quote> section of the sssd." "conf file. Please note that because the KCM service is typically socket-" "activated, it is enough to just restart the <quote>sssd-kcm</quote> service " "after changing options in the <quote>kcm</quote> section of sssd.conf: " "<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:215 msgid "" "The KCM service is configured in the <quote>kcm</quote> For a detailed " "syntax reference, refer to the <quote>FILE FORMAT</quote> section of the " "<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:223 msgid "" "The generic SSSD service options such as <quote>debug_level</quote> or " "<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " "the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry> manual page for a complete list. In addition, " "there are some KCM-specific options as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd-kcm.8.xml:234 msgid "socket_path (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-kcm.8.xml:237 msgid "The socket the KCM service will listen on." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-kcm.8.xml:240 msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-kcm.8.xml:243 msgid "" "<phrase condition=\"have_systemd\"> Note: on platforms where systemd is " "supported, the socket path is overwritten by the one defined in the sssd-kcm." "socket unit file. </phrase>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd-kcm.8.xml:252 msgid "max_ccaches (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-kcm.8.xml:255 msgid "How many credential caches does the KCM database allow for all users." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-kcm.8.xml:259 msgid "Default: 0 (unlimited, only the per-UID quota is enforced)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd-kcm.8.xml:264 msgid "max_uid_ccaches (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-kcm.8.xml:267 msgid "" "How many credential caches does the KCM database allow per UID. This is " "equivalent to <quote>with how many principals you can kinit</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-kcm.8.xml:272 msgid "Default: 64" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd-kcm.8.xml:277 msgid "max_ccache_size (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-kcm.8.xml:280 msgid "" "How big can a credential cache be per ccache. Each service ticket accounts " "into this quota." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-kcm.8.xml:284 msgid "Default: 65536" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd-kcm.8.xml:289 msgid "tgt_renewal (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-kcm.8.xml:292 msgid "Enables TGT renewals functionality." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-kcm.8.xml:295 msgid "Default: False (Automatic renewals disabled)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd-kcm.8.xml:300 msgid "tgt_renewal_inherit (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-kcm.8.xml:303 msgid "Domain to inherit krb5_* options from, for use with TGT renewals." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-kcm.8.xml:307 #, fuzzy #| msgid "Default: 200000" msgid "Default: NULL" msgstr "Výchozí: 200000" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:318 msgid "" "<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" "citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" "refentrytitle><manvolnum>5</manvolnum> </citerefentry>," msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 msgid "sssd-systemtap" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sssd-systemtap.5.xml:17 msgid "SSSD systemtap information" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-systemtap.5.xml:23 msgid "" "This manual page provides information about the systemtap functionality in " "<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " "</citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-systemtap.5.xml:32 msgid "" "SystemTap Probe points have been added into various locations in SSSD code " "to assist in troubleshooting and analyzing performance related issues." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd-systemtap.5.xml:40 msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd-systemtap.5.xml:46 msgid "" "Probes and miscellaneous functions are defined in /usr/share/systemtap/" "tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " "respectively." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-systemtap.5.xml:57 msgid "PROBE POINTS" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:367 msgid "" "The information below lists the probe points and arguments available in the " "following format:" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:64 msgid "probe $name" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:67 msgid "Description of probe point" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> #: sssd-systemtap.5.xml:70 #, no-wrap msgid "" "variable1:datatype\n" "variable2:datatype\n" "variable3:datatype\n" "...\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd-systemtap.5.xml:80 msgid "Database Transaction Probes" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:84 msgid "probe sssd_transaction_start" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:87 msgid "" "Start of a sysdb transaction, probes the sysdb_transaction_start() function." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> #: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 #: sssd-systemtap.5.xml:131 #, no-wrap msgid "" "nesting:integer\n" "probestr:string\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:97 msgid "probe sssd_transaction_cancel" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:100 msgid "" "Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " "function." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:111 msgid "probe sssd_transaction_commit_before" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:114 msgid "Probes the sysdb_transaction_commit_before() function." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:124 msgid "probe sssd_transaction_commit_after" msgstr "vyzkoušet sssd_transaction_commit_after" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:127 msgid "Probes the sysdb_transaction_commit_after() function." msgstr "Vyzkouší funkci sysdb_transaction_commit_after()." #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd-systemtap.5.xml:141 msgid "LDAP Search Probes" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:145 msgid "probe sdap_search_send" msgstr "vyzkouší sdap_search_send" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:148 msgid "Probes the sdap_get_generic_ext_send() function." msgstr "Vyzkouší funkci sdap_get_generic_ext_send()." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> #: sssd-systemtap.5.xml:152 #, no-wrap msgid "" "base:string\n" "scope:integer\n" "filter:string\n" "attrs:string\n" "probestr:string\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:161 msgid "probe sdap_search_recv" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:164 msgid "Probes the sdap_get_generic_ext_recv() function." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> #: sssd-systemtap.5.xml:168 sssd-systemtap.5.xml:222 #, no-wrap msgid "" "base:string\n" "scope:integer\n" "filter:string\n" "probestr:string\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:176 msgid "probe sdap_parse_entry" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:179 msgid "" "Probes the sdap_parse_entry() function. It is called repeatedly with every " "received attribute." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> #: sssd-systemtap.5.xml:184 #, no-wrap msgid "" "attr:string\n" "value:string\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:190 msgid "probe sdap_parse_entry_done" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:193 msgid "" "Probes the sdap_parse_entry() function. It is called when parsing of " "received object is finished." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:201 msgid "probe sdap_deref_send" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:204 msgid "Probes the sdap_deref_search_send() function." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> #: sssd-systemtap.5.xml:208 #, no-wrap msgid "" "base_dn:string\n" "deref_attr:string\n" "probestr:string\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:215 msgid "probe sdap_deref_recv" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:218 msgid "Probes the sdap_deref_search_recv() function." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd-systemtap.5.xml:234 msgid "LDAP Account Request Probes" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:238 msgid "probe sdap_acct_req_send" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:241 msgid "Probes the sdap_acct_req_send() function." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> #: sssd-systemtap.5.xml:245 sssd-systemtap.5.xml:260 #, no-wrap msgid "" "entry_type:int\n" "filter_type:int\n" "filter_value:string\n" "extra_value:string\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:253 msgid "probe sdap_acct_req_recv" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:256 msgid "Probes the sdap_acct_req_recv() function." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd-systemtap.5.xml:272 msgid "LDAP User Search Probes" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:276 msgid "probe sdap_search_user_send" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:279 msgid "Probes the sdap_search_user_send() function." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> #: sssd-systemtap.5.xml:283 sssd-systemtap.5.xml:295 sssd-systemtap.5.xml:307 #: sssd-systemtap.5.xml:319 #, no-wrap msgid "" "filter:string\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:288 msgid "probe sdap_search_user_recv" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:291 msgid "Probes the sdap_search_user_recv() function." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:300 msgid "probe sdap_search_user_save_begin" msgstr "probe sdap_search_user_save_begin" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:303 msgid "Probes the sdap_search_user_save_begin() function." msgstr "Zkouší funkci sdap_search_user_save_begin()." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:312 msgid "probe sdap_search_user_save_end" msgstr "vyzkoušet sdap_search_user_save_end" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:315 msgid "Probes the sdap_search_user_save_end() function." msgstr "Vyzkouší funkci sdap_search_user_save_end()." #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd-systemtap.5.xml:328 msgid "Data Provider Request Probes" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:332 msgid "probe dp_req_send" msgstr "probe dp_req_send" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:335 msgid "A Data Provider request is submitted." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> #: sssd-systemtap.5.xml:338 #, no-wrap msgid "" "dp_req_domain:string\n" "dp_req_name:string\n" "dp_req_target:int\n" "dp_req_method:int\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:346 msgid "probe dp_req_done" msgstr "probe dp_req_done" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:349 msgid "A Data Provider request is completed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> #: sssd-systemtap.5.xml:352 #, no-wrap msgid "" "dp_req_name:string\n" "dp_req_target:int\n" "dp_req_method:int\n" "dp_ret:int\n" "dp_errorstr:string\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd-systemtap.5.xml:365 msgid "MISCELLANEOUS FUNCTIONS" msgstr "RŮZNÉ FUNKCE" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:372 msgid "function acct_req_desc(entry_type)" msgstr "function acct_req_desc(entry_type)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:375 msgid "Convert entry_type to string and return string" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:380 msgid "" "function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " "filter_value, extra_value)" msgstr "" "funkce sssd_acct_req_probestr(fc_name, entry_type, filter_type, " "filter_value, extra_value)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:384 msgid "Create probe string based on filter type" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:389 msgid "function dp_target_str(target)" msgstr "funkce dp_target_str(target)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:392 msgid "Convert target to string and return string" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:397 msgid "function dp_method_str(target)" msgstr "funkce dp_method_str(target)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:400 msgid "Convert method to string and return string" msgstr "Převést metodu na řetězec a vrátit řetězec" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-systemtap.5.xml:410 msgid "SAMPLE SYSTEMTAP SCRIPTS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-systemtap.5.xml:412 msgid "" "Start the SystemTap script (<command>stap /usr/share/sssd/systemtap/<" "script_name>.stp</command>), then perform an identity operation and the " "script will collect information from probes." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-systemtap.5.xml:418 msgid "Provided SystemTap scripts are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:422 msgid "dp_request.stp" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:425 msgid "Monitoring of data provider request performance." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:430 msgid "id_perf.stp" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:433 msgid "Monitoring of <command>id</command> command performance." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:439 msgid "ldap_perf.stp" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:442 msgid "Monitoring of LDAP queries." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:447 msgid "nested_group_perf.stp" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:450 msgid "Performance of nested groups resolving." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssd-ldap-attributes.5.xml:10 sssd-ldap-attributes.5.xml:16 msgid "sssd-ldap-attributes" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sssd-ldap-attributes.5.xml:17 msgid "SSSD LDAP Provider: Mapping Attributes" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ldap-attributes.5.xml:23 msgid "" "This manual page describes the mapping attributes of SSSD LDAP provider " "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry>. Refer to the <citerefentry> <refentrytitle>sssd-" "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page " "for full details about SSSD LDAP provider configuration options." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap-attributes.5.xml:38 msgid "USER ATTRIBUTES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:42 msgid "ldap_user_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:45 msgid "The object class of a user entry in LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:48 msgid "Default: posixAccount" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:54 msgid "ldap_user_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:57 msgid "The LDAP attribute that corresponds to the user's login name." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:61 msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:68 msgid "ldap_user_uid_number (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:71 msgid "The LDAP attribute that corresponds to the user's id." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:75 msgid "Default: uidNumber" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:81 msgid "ldap_user_gid_number (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:84 msgid "The LDAP attribute that corresponds to the user's primary group id." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:88 sssd-ldap-attributes.5.xml:700 msgid "Default: gidNumber" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:94 msgid "ldap_user_primary_group (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:97 msgid "" "Active Directory primary group attribute for ID-mapping. Note that this " "attribute should only be set manually if you are running the <quote>ldap</" "quote> provider with ID mapping." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:103 msgid "Default: unset (LDAP), primaryGroupID (AD)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:109 msgid "ldap_user_gecos (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:112 msgid "The LDAP attribute that corresponds to the user's gecos field." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:116 msgid "Default: gecos" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:122 msgid "ldap_user_home_directory (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:125 msgid "The LDAP attribute that contains the name of the user's home directory." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:129 msgid "Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:135 msgid "ldap_user_shell (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:138 msgid "The LDAP attribute that contains the path to the user's default shell." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:142 msgid "Default: loginShell" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:148 msgid "ldap_user_uuid (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:151 msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:155 sssd-ldap-attributes.5.xml:726 msgid "" "Default: not set in the general case, objectGUID for AD and ipaUniqueID for " "IPA" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:162 msgid "ldap_user_objectsid (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:165 msgid "" "The LDAP attribute that contains the objectSID of an LDAP user object. This " "is usually only necessary for ActiveDirectory servers." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:170 sssd-ldap-attributes.5.xml:741 msgid "Default: objectSid for ActiveDirectory, not set for other servers." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:177 msgid "ldap_user_modify_timestamp (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:180 sssd-ldap-attributes.5.xml:751 #: sssd-ldap-attributes.5.xml:874 msgid "" "The LDAP attribute that contains timestamp of the last modification of the " "parent object." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:184 sssd-ldap-attributes.5.xml:755 #: sssd-ldap-attributes.5.xml:881 msgid "Default: modifyTimestamp" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:190 msgid "ldap_user_shadow_last_change (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:193 msgid "" "When using ldap_pwd_policy=shadow, this parameter contains the name of an " "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " "the last password change)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:203 msgid "Default: shadowLastChange" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:209 msgid "ldap_user_shadow_min (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:212 msgid "" "When using ldap_pwd_policy=shadow, this parameter contains the name of an " "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " "password age)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:221 msgid "Default: shadowMin" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:227 msgid "ldap_user_shadow_max (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:230 msgid "" "When using ldap_pwd_policy=shadow, this parameter contains the name of an " "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " "password age)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:239 msgid "Default: shadowMax" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:245 msgid "ldap_user_shadow_warning (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:248 msgid "" "When using ldap_pwd_policy=shadow, this parameter contains the name of an " "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " "(password warning period)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:258 msgid "Default: shadowWarning" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:264 msgid "ldap_user_shadow_inactive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:267 msgid "" "When using ldap_pwd_policy=shadow, this parameter contains the name of an " "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " "(password inactivity period)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:277 msgid "Default: shadowInactive" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:283 msgid "ldap_user_shadow_expire (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:286 msgid "" "When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " "parameter contains the name of an LDAP attribute corresponding to its " "<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry> counterpart (account expiration date)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:296 msgid "Default: shadowExpire" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:302 msgid "ldap_user_krb_last_pwd_change (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:305 msgid "" "When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " "an LDAP attribute storing the date and time of last password change in " "kerberos." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:311 msgid "Default: krbLastPwdChange" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:317 msgid "ldap_user_krb_password_expiration (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:320 msgid "" "When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " "an LDAP attribute storing the date and time when current password expires." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:326 msgid "Default: krbPasswordExpiration" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:332 msgid "ldap_user_ad_account_expires (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:335 msgid "" "When using ldap_account_expire_policy=ad, this parameter contains the name " "of an LDAP attribute storing the expiration time of the account." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:340 msgid "Default: accountExpires" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:346 msgid "ldap_user_ad_user_account_control (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:349 msgid "" "When using ldap_account_expire_policy=ad, this parameter contains the name " "of an LDAP attribute storing the user account control bit field." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:354 msgid "Default: userAccountControl" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:360 msgid "ldap_ns_account_lock (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:363 msgid "" "When using ldap_account_expire_policy=rhds or equivalent, this parameter " "determines if access is allowed or not." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:368 msgid "Default: nsAccountLock" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:374 msgid "ldap_user_nds_login_disabled (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:377 msgid "" "When using ldap_account_expire_policy=nds, this attribute determines if " "access is allowed or not." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:381 sssd-ldap-attributes.5.xml:395 msgid "Default: loginDisabled" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:387 msgid "ldap_user_nds_login_expiration_time (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:390 msgid "" "When using ldap_account_expire_policy=nds, this attribute determines until " "which date access is granted." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:401 msgid "ldap_user_nds_login_allowed_time_map (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:404 msgid "" "When using ldap_account_expire_policy=nds, this attribute determines the " "hours of a day in a week when access is granted." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:409 msgid "Default: loginAllowedTimeMap" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:415 msgid "ldap_user_principal (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:418 msgid "" "The LDAP attribute that contains the user's Kerberos User Principal Name " "(UPN)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:422 msgid "Default: krbPrincipalName" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:428 msgid "ldap_user_extra_attrs (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:431 msgid "" "Comma-separated list of LDAP attributes that SSSD would fetch along with the " "usual set of user attributes." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:436 msgid "" "The list can either contain LDAP attribute names only, or colon-separated " "tuples of SSSD cache attribute name and LDAP attribute name. In case only " "LDAP attribute name is specified, the attribute is saved to the cache " "verbatim. Using a custom SSSD attribute name might be required by " "environments that configure several SSSD domains with different LDAP schemas." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:446 msgid "" "Please note that several attribute names are reserved by SSSD, notably the " "<quote>name</quote> attribute. SSSD would report an error if any of the " "reserved attribute names is used as an extra attribute name." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:456 msgid "ldap_user_extra_attrs = telephoneNumber" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:459 msgid "" "Save the <quote>telephoneNumber</quote> attribute from LDAP as " "<quote>telephoneNumber</quote> to the cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:463 msgid "ldap_user_extra_attrs = phone:telephoneNumber" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:466 msgid "" "Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" "quote> to the cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:476 msgid "ldap_user_ssh_public_key (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:479 msgid "The LDAP attribute that contains the user's SSH public keys." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:483 sssd-ldap-attributes.5.xml:965 msgid "Default: sshPublicKey" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:489 msgid "ldap_user_fullname (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:492 msgid "The LDAP attribute that corresponds to the user's full name." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:502 msgid "ldap_user_member_of (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:505 msgid "The LDAP attribute that lists the user's group memberships." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:509 sssd-ldap-attributes.5.xml:952 msgid "Default: memberOf" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:515 msgid "ldap_user_authorized_service (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:518 msgid "" "If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " "use the presence of the authorizedService attribute in the user's LDAP entry " "to determine access privilege." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:525 msgid "" "An explicit deny (!svc) is resolved first. Second, SSSD searches for " "explicit allow (svc) and finally for allow_all (*)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:530 msgid "" "Please note that the ldap_access_order configuration option <emphasis>must</" "emphasis> include <quote>authorized_service</quote> in order for the " "ldap_user_authorized_service option to work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:537 msgid "" "Some distributions (such as Fedora-29+ or RHEL-8) always include the " "<quote>systemd-user</quote> PAM service as part of the login process. " "Therefore when using service-based access control, the <quote>systemd-user</" "quote> service might need to be added to the list of allowed services." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:545 msgid "Default: authorizedService" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:551 msgid "ldap_user_authorized_host (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:554 msgid "" "If access_provider=ldap and ldap_access_order=host, SSSD will use the " "presence of the host attribute in the user's LDAP entry to determine access " "privilege." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:560 msgid "" "An explicit deny (!host) is resolved first. Second, SSSD searches for " "explicit allow (host) and finally for allow_all (*)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:565 msgid "" "Please note that the ldap_access_order configuration option <emphasis>must</" "emphasis> include <quote>host</quote> in order for the " "ldap_user_authorized_host option to work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:572 msgid "Default: host" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:578 msgid "ldap_user_authorized_rhost (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:581 msgid "" "If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " "presence of the rhost attribute in the user's LDAP entry to determine access " "privilege. Similarly to host verification process." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:588 msgid "" "An explicit deny (!rhost) is resolved first. Second, SSSD searches for " "explicit allow (rhost) and finally for allow_all (*)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:593 msgid "" "Please note that the ldap_access_order configuration option <emphasis>must</" "emphasis> include <quote>rhost</quote> in order for the " "ldap_user_authorized_rhost option to work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:600 msgid "Default: rhost" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:606 msgid "ldap_user_certificate (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:609 msgid "Name of the LDAP attribute containing the X509 certificate of the user." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:613 msgid "Default: userCertificate;binary" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:619 msgid "ldap_user_email (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:622 msgid "Name of the LDAP attribute containing the email address of the user." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:626 msgid "" "Note: If an email address of a user conflicts with an email address or fully " "qualified name of another user, then SSSD will not be able to serve those " "users properly. This option allows users to login by (1) username, and (2) e-" "mail address. If for some reason several users need to share the same email " "address then set this option to a nonexistent attribute name in order to " "disable user lookup/login by email." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:637 msgid "Default: mail" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:642 #, fuzzy #| msgid "simple_deny_users (string)" msgid "ldap_user_passkey (string)" msgstr "simple_deny_users (řetězec)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:645 #, fuzzy #| msgid "" #| "The LDAP attribute that contains the names of the netgroup's members." msgid "" "Name of the LDAP attribute containing the passkey mapping data of the user." msgstr "LDAP atribut, který obsahuje jména členů síťové skupiny." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:649 msgid "Default: passkey (LDAP), ipaPassKey (IPA), altSecurityIdentities (AD)" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap-attributes.5.xml:659 msgid "GROUP ATTRIBUTES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:663 msgid "ldap_group_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:666 msgid "The object class of a group entry in LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:669 msgid "Default: posixGroup" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:675 msgid "ldap_group_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:678 msgid "" "The LDAP attribute that corresponds to the group name. In an environment " "with nested groups, this value must be an LDAP attribute which has a unique " "name for every group. This requirement includes non-POSIX groups in the tree " "of nested groups." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:686 msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:693 msgid "ldap_group_gid_number (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:696 msgid "The LDAP attribute that corresponds to the group's id." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:706 msgid "ldap_group_member (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:709 msgid "The LDAP attribute that contains the names of the group's members." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:713 msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:719 msgid "ldap_group_uuid (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:722 msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:733 msgid "ldap_group_objectsid (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:736 msgid "" "The LDAP attribute that contains the objectSID of an LDAP group object. This " "is usually only necessary for ActiveDirectory servers." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:748 msgid "ldap_group_modify_timestamp (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:761 msgid "ldap_group_type (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:764 msgid "" "The LDAP attribute that contains an integer value indicating the type of the " "group and maybe other flags." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:769 msgid "" "This attribute is currently only used by the AD provider to determine if a " "group is a domain local groups and has to be filtered out for trusted " "domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:775 msgid "Default: groupType in the AD provider, otherwise not set" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:782 msgid "ldap_group_external_member (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:785 msgid "" "The LDAP attribute that references group members that are defined in an " "external domain. At the moment, only IPA's external members are supported." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:791 msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap-attributes.5.xml:801 msgid "NETGROUP ATTRIBUTES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:805 msgid "ldap_netgroup_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:808 msgid "The object class of a netgroup entry in LDAP." msgstr "Třída objektu položky dané netgroup v LDAP." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:811 msgid "In IPA provider, ipa_netgroup_object_class should be used instead." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:815 msgid "Default: nisNetgroup" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:821 msgid "ldap_netgroup_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:824 msgid "The LDAP attribute that corresponds to the netgroup name." msgstr "LDAP atribut, který odpovídá názvu netgroup." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:828 msgid "In IPA provider, ipa_netgroup_name should be used instead." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:838 msgid "ldap_netgroup_member (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:841 msgid "The LDAP attribute that contains the names of the netgroup's members." msgstr "LDAP atribut, který obsahuje jména členů síťové skupiny." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:845 msgid "In IPA provider, ipa_netgroup_member should be used instead." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:849 msgid "Default: memberNisNetgroup" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:855 msgid "ldap_netgroup_triple (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:858 msgid "" "The LDAP attribute that contains the (host, user, domain) netgroup triples." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:862 sssd-ldap-attributes.5.xml:878 msgid "This option is not available in IPA provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:865 msgid "Default: nisNetgroupTriple" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:871 msgid "ldap_netgroup_modify_timestamp (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap-attributes.5.xml:890 msgid "HOST ATTRIBUTES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:894 msgid "ldap_host_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:897 msgid "The object class of a host entry in LDAP." msgstr "Třída objektu položky hostitele v LDAP." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:900 sssd-ldap-attributes.5.xml:997 msgid "Default: ipService" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:906 msgid "ldap_host_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:909 sssd-ldap-attributes.5.xml:935 msgid "The LDAP attribute that corresponds to the host's name." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:919 msgid "ldap_host_fqdn (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:922 msgid "" "The LDAP attribute that corresponds to the host's fully-qualified domain " "name." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:926 msgid "Default: fqdn" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:932 msgid "ldap_host_serverhostname (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:939 msgid "Default: serverHostname" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:945 msgid "ldap_host_member_of (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:948 msgid "The LDAP attribute that lists the host's group memberships." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:958 msgid "ldap_host_ssh_public_key (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:961 msgid "The LDAP attribute that contains the host's SSH public keys." msgstr "LDAP atribut, který obsahuje veřejné části SSH klíčů hostitele." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:971 msgid "ldap_host_uuid (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:974 msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap-attributes.5.xml:987 msgid "SERVICE ATTRIBUTES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:991 msgid "ldap_service_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:994 msgid "The object class of a service entry in LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1003 msgid "ldap_service_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1006 msgid "" "The LDAP attribute that contains the name of service attributes and their " "aliases." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1016 msgid "ldap_service_port (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1019 msgid "The LDAP attribute that contains the port managed by this service." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1023 msgid "Default: ipServicePort" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1029 msgid "ldap_service_proto (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1032 msgid "" "The LDAP attribute that contains the protocols understood by this service." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1036 msgid "Default: ipServiceProtocol" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap-attributes.5.xml:1045 msgid "SUDO ATTRIBUTES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1049 msgid "ldap_sudorule_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1052 msgid "The object class of a sudo rule entry in LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1055 msgid "Default: sudoRole" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1061 msgid "ldap_sudorule_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1064 msgid "The LDAP attribute that corresponds to the sudo rule name." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1074 msgid "ldap_sudorule_command (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1077 msgid "The LDAP attribute that corresponds to the command name." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1081 msgid "Default: sudoCommand" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1087 msgid "ldap_sudorule_host (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1090 msgid "" "The LDAP attribute that corresponds to the host name (or host IP address, " "host IP network, or host netgroup)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1095 msgid "Default: sudoHost" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1101 msgid "ldap_sudorule_user (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1104 msgid "" "The LDAP attribute that corresponds to the user name (or UID, group name or " "user's netgroup)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1108 msgid "Default: sudoUser" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1114 msgid "ldap_sudorule_option (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1117 msgid "The LDAP attribute that corresponds to the sudo options." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1121 msgid "Default: sudoOption" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1127 msgid "ldap_sudorule_runasuser (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1130 msgid "" "The LDAP attribute that corresponds to the user name that commands may be " "run as." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1134 msgid "Default: sudoRunAsUser" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1140 msgid "ldap_sudorule_runasgroup (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1143 msgid "" "The LDAP attribute that corresponds to the group name or group GID that " "commands may be run as." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1147 msgid "Default: sudoRunAsGroup" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1153 msgid "ldap_sudorule_notbefore (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1156 msgid "" "The LDAP attribute that corresponds to the start date/time for when the sudo " "rule is valid." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1160 msgid "Default: sudoNotBefore" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1166 msgid "ldap_sudorule_notafter (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1169 msgid "" "The LDAP attribute that corresponds to the expiration date/time, after which " "the sudo rule will no longer be valid." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1174 msgid "Default: sudoNotAfter" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1180 msgid "ldap_sudorule_order (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1183 msgid "The LDAP attribute that corresponds to the ordering index of the rule." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1187 msgid "Default: sudoOrder" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap-attributes.5.xml:1196 msgid "AUTOFS ATTRIBUTES" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap-attributes.5.xml:1203 msgid "IP HOST ATTRIBUTES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1207 msgid "ldap_iphost_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1210 msgid "The object class of an iphost entry in LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1213 msgid "Default: ipHost" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1219 msgid "ldap_iphost_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1222 msgid "" "The LDAP attribute that contains the name of the IP host attributes and " "their aliases." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1232 msgid "ldap_iphost_number (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1235 msgid "The LDAP attribute that contains the IP host address." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1239 msgid "Default: ipHostNumber" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap-attributes.5.xml:1248 msgid "IP NETWORK ATTRIBUTES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1252 msgid "ldap_ipnetwork_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1255 msgid "The object class of an ipnetwork entry in LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1258 msgid "Default: ipNetwork" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1264 msgid "ldap_ipnetwork_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1267 msgid "" "The LDAP attribute that contains the name of the IP network attributes and " "their aliases." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1277 msgid "ldap_ipnetwork_number (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1280 msgid "The LDAP attribute that contains the IP network address." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1284 msgid "Default: ipNetworkNumber" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssd_krb5_localauth_plugin.8.xml:10 sssd_krb5_localauth_plugin.8.xml:15 msgid "sssd_krb5_localauth_plugin" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sssd_krb5_localauth_plugin.8.xml:16 msgid "Kerberos local authorization plugin" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd_krb5_localauth_plugin.8.xml:22 msgid "" "The Kerberos local authorization plugin <command>sssd_krb5_localauth_plugin</" "command> is used by libkrb5 to either find the local name for a given " "Kerberos principal or to check if a given local name and a given Kerberos " "principal relate to each other." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd_krb5_localauth_plugin.8.xml:29 msgid "" "SSSD handles the local names for users from a remote source and can read the " "Kerberos user principal name from the remote source as well. With this " "information SSSD can easily handle the mappings mentioned above even if the " "local name and the Kerberos principal differ considerably." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd_krb5_localauth_plugin.8.xml:36 msgid "" "Additionally with the information read from the remote source SSSD can help " "to prevent unexpected or unwanted mappings in case the user part of the " "Kerberos principal accidentally corresponds to a local name of a different " "user. By default libkrb5 might just strip the realm part of the Kerberos " "principal to get the local name which would lead to wrong mappings in this " "case." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd_krb5_localauth_plugin.8.xml:46 msgid "CONFIGURATION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd_krb5_localauth_plugin.8.xml:56 #, no-wrap msgid "" "[plugins]\n" " localauth = {\n" " module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so\n" " }\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd_krb5_localauth_plugin.8.xml:48 msgid "" "The Kerberos local authorization plugin must be enabled explicitly in the " "Kerberos configuration, see <citerefentry> <refentrytitle>krb5.conf</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>. SSSD will create a " "config snippet with the content like e.g. <placeholder " "type=\"programlisting\" id=\"0\"/> automatically in the SSSD's public " "Kerberos configuration snippet directory. If this directory is included in " "the local Kerberos configuration the plugin will be enabled automatically." msgstr "" #. type: Content of: <variablelist><varlistentry><term> #: include/autofs_attributes.xml:3 msgid "ldap_autofs_map_object_class (string)" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/autofs_attributes.xml:6 msgid "The object class of an automount map entry in LDAP." msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/autofs_attributes.xml:9 msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" msgstr "" #. type: Content of: <variablelist><varlistentry><term> #: include/autofs_attributes.xml:16 msgid "ldap_autofs_map_name (string)" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/autofs_attributes.xml:19 msgid "The name of an automount map entry in LDAP." msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/autofs_attributes.xml:22 msgid "" "Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" msgstr "" #. type: Content of: <variablelist><varlistentry><term> #: include/autofs_attributes.xml:29 msgid "ldap_autofs_entry_object_class (string)" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/autofs_attributes.xml:32 msgid "" "The object class of an automount entry in LDAP. The entry usually " "corresponds to a mount point." msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/autofs_attributes.xml:37 msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" msgstr "" #. type: Content of: <variablelist><varlistentry><term> #: include/autofs_attributes.xml:44 msgid "ldap_autofs_entry_key (string)" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/autofs_attributes.xml:47 include/autofs_attributes.xml:61 msgid "" "The key of an automount entry in LDAP. The entry usually corresponds to a " "mount point." msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/autofs_attributes.xml:51 msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" msgstr "" #. type: Content of: <variablelist><varlistentry><term> #: include/autofs_attributes.xml:58 msgid "ldap_autofs_entry_value (string)" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/autofs_attributes.xml:65 msgid "" "Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " "automountInformation" msgstr "" #. type: Content of: <refsect1><title> #: include/service_discovery.xml:2 msgid "SERVICE DISCOVERY" msgstr "OBJEVOVÁNÍ SLUŽBY" #. type: Content of: <refsect1><para> #: include/service_discovery.xml:4 msgid "" "The service discovery feature allows back ends to automatically find the " "appropriate servers to connect to using a special DNS query. This feature is " "not supported for backup servers." msgstr "" #. type: Content of: <refsect1><refsect2><title> #: include/service_discovery.xml:9 include/ldap_id_mapping.xml:99 msgid "Configuration" msgstr "Nastavení" #. type: Content of: <refsect1><refsect2><para> #: include/service_discovery.xml:11 msgid "" "If no servers are specified, the back end automatically uses service " "discovery to try to find a server. Optionally, the user may choose to use " "both fixed server addresses and service discovery by inserting a special " "keyword, <quote>_srv_</quote>, in the list of servers. The order of " "preference is maintained. This feature is useful if, for example, the user " "prefers to use service discovery whenever possible, and fall back to a " "specific server when no servers can be discovered using DNS." msgstr "" #. type: Content of: <refsect1><refsect2><title> #: include/service_discovery.xml:23 msgid "The domain name" msgstr "Název domény" #. type: Content of: <refsect1><refsect2><para> #: include/service_discovery.xml:25 msgid "" "Please refer to the <quote>dns_discovery_domain</quote> parameter in the " "<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry> manual page for more details." msgstr "" #. type: Content of: <refsect1><refsect2><title> #: include/service_discovery.xml:35 msgid "The protocol" msgstr "Protokol" #. type: Content of: <refsect1><refsect2><para> #: include/service_discovery.xml:37 msgid "" "The queries usually specify _tcp as the protocol. Exceptions are documented " "in respective option description." msgstr "" #. type: Content of: <refsect1><refsect2><title> #: include/service_discovery.xml:42 msgid "See Also" msgstr "Viz také" #. type: Content of: <refsect1><refsect2><para> #: include/service_discovery.xml:44 msgid "" "For more information on the service discovery mechanism, refer to RFC 2782." msgstr "" #. type: Content of: <refentryinfo> #: include/upstream.xml:2 msgid "" "<productname>SSSD</productname> <orgname>The SSSD upstream - https://github." "com/SSSD/sssd/</orgname>" msgstr "" #. type: Content of: outside any tag (error?) #: include/upstream.xml:1 msgid "<placeholder type=\"refentryinfo\" id=\"0\"/>" msgstr "<placeholder type=\"refentryinfo\" id=\"0\"/>" #. type: Content of: <refsect1><title> #: include/failover.xml:2 msgid "FAILOVER" msgstr "" #. type: Content of: <refsect1><para> #: include/failover.xml:4 msgid "" "The failover feature allows back ends to automatically switch to a different " "server if the current server fails." msgstr "" #. type: Content of: <refsect1><refsect2><title> #: include/failover.xml:8 msgid "Failover Syntax" msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/failover.xml:10 msgid "" "The list of servers is given as a comma-separated list; any number of spaces " "is allowed around the comma. The servers are listed in order of preference. " "The list can contain any number of servers." msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/failover.xml:16 msgid "" "For each failover-enabled config option, two variants exist: " "<emphasis>primary</emphasis> and <emphasis>backup</emphasis>. The idea is " "that servers in the primary list are preferred and backup servers are only " "searched if no primary servers can be reached. If a backup server is " "selected, a timeout of 31 seconds is set. After this timeout SSSD will " "periodically try to reconnect to one of the primary servers. If it succeeds, " "it will replace the current active (backup) server." msgstr "" #. type: Content of: <refsect1><refsect2><title> #: include/failover.xml:27 msgid "The Failover Mechanism" msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/failover.xml:29 msgid "" "The failover mechanism distinguishes between a machine and a service. The " "back end first tries to resolve the hostname of a given machine; if this " "resolution attempt fails, the machine is considered offline. No further " "attempts are made to connect to this machine for any other service. If the " "resolution attempt succeeds, the back end tries to connect to a service on " "this machine. If the service connection attempt fails, then only this " "particular service is considered offline and the back end automatically " "switches over to the next service. The machine is still considered online " "and might still be tried for another service." msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/failover.xml:42 msgid "" "Further connection attempts are made to machines or services marked as " "offline after a specified period of time; this is currently hard coded to 30 " "seconds." msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/failover.xml:47 msgid "" "If there are no more machines to try, the back end as a whole switches to " "offline mode, and then attempts to reconnect every 30 seconds." msgstr "" #. type: Content of: <refsect1><refsect2><title> #: include/failover.xml:53 msgid "Failover time outs and tuning" msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/failover.xml:55 msgid "" "Resolving a server to connect to can be as simple as running a single DNS " "query or can involve several steps, such as finding the correct site or " "trying out multiple host names in case some of the configured servers are " "not reachable. The more complex scenarios can take some time and SSSD needs " "to balance between providing enough time to finish the resolution process " "but on the other hand, not trying for too long before falling back to " "offline mode. If the SSSD debug logs show that the server resolution is " "timing out before a live server is contacted, you can consider changing the " "time outs." msgstr "" #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term> #: include/failover.xml:76 msgid "dns_resolver_server_timeout" msgstr "" #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: include/failover.xml:80 msgid "" "Time in milliseconds that sets how long would SSSD talk to a single DNS " "server before trying next one." msgstr "" #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term> #: include/failover.xml:90 msgid "dns_resolver_op_timeout" msgstr "dns_resolver_op_timeout" #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: include/failover.xml:94 msgid "" "Time in seconds to tell how long would SSSD try to resolve single DNS query " "(e.g. resolution of a hostname or an SRV record) before trying the next " "hostname or discovery domain." msgstr "" #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term> #: include/failover.xml:106 msgid "dns_resolver_timeout" msgstr "dns_resolver_timeout" #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: include/failover.xml:110 msgid "" "How long would SSSD try to resolve a failover service. This service " "resolution internally might include several steps, such as resolving DNS SRV " "queries or locating the site." msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/failover.xml:67 msgid "" "This section lists the available tunables. Please refer to their description " "in the <citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</" "manvolnum> </citerefentry>, manual page. <placeholder type=\"variablelist\" " "id=\"0\"/>" msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/failover.xml:123 msgid "" "For LDAP-based providers, the resolve operation is performed as part of an " "LDAP connection operation. Therefore, also the <quote>ldap_opt_timeout</" "quote> timeout should be set to a larger value than " "<quote>dns_resolver_timeout</quote> which in turn should be set to a larger " "value than <quote>dns_resolver_op_timeout</quote> which should be larger " "than <quote>dns_resolver_server_timeout</quote>." msgstr "" #. type: Content of: <refsect1><title> #: include/ldap_id_mapping.xml:2 msgid "ID MAPPING" msgstr "MAPOVÁNÍ IDENTIFIKÁTORŮ" #. type: Content of: <refsect1><para> #: include/ldap_id_mapping.xml:4 msgid "" "The ID-mapping feature allows SSSD to act as a client of Active Directory " "without requiring administrators to extend user attributes to support POSIX " "attributes for user and group identifiers." msgstr "" #. type: Content of: <refsect1><para> #: include/ldap_id_mapping.xml:9 msgid "" "NOTE: When ID-mapping is enabled, the uidNumber and gidNumber attributes are " "ignored. This is to avoid the possibility of conflicts between automatically-" "assigned and manually-assigned values. If you need to use manually-assigned " "values, ALL values must be manually-assigned." msgstr "" #. type: Content of: <refsect1><para> #: include/ldap_id_mapping.xml:16 msgid "" "Please note that changing the ID mapping related configuration options will " "cause user and group IDs to change. At the moment, SSSD does not support " "changing IDs, so the SSSD database must be removed. Because cached passwords " "are also stored in the database, removing the database should only be " "performed while the authentication servers are reachable, otherwise users " "might get locked out. In order to cache the password, an authentication must " "be performed. It is not sufficient to use <citerefentry> " "<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> </" "citerefentry> to remove the database, rather the process consists of:" msgstr "" #. type: Content of: <refsect1><para><itemizedlist><listitem><para> #: include/ldap_id_mapping.xml:33 msgid "Making sure the remote servers are reachable" msgstr "" #. type: Content of: <refsect1><para><itemizedlist><listitem><para> #: include/ldap_id_mapping.xml:38 msgid "Stopping the SSSD service" msgstr "Zastavování služby SSSD" #. type: Content of: <refsect1><para><itemizedlist><listitem><para> #: include/ldap_id_mapping.xml:43 msgid "Removing the database" msgstr "Odebrání databáze" #. type: Content of: <refsect1><para><itemizedlist><listitem><para> #: include/ldap_id_mapping.xml:48 msgid "Starting the SSSD service" msgstr "Spuštění služby SSSD" #. type: Content of: <refsect1><para> #: include/ldap_id_mapping.xml:52 msgid "" "Moreover, as the change of IDs might necessitate the adjustment of other " "system properties such as file and directory ownership, it's advisable to " "plan ahead and test the ID mapping configuration thoroughly." msgstr "" #. type: Content of: <refsect1><refsect2><title> #: include/ldap_id_mapping.xml:59 msgid "Mapping Algorithm" msgstr "Mapovací algoritmus" #. type: Content of: <refsect1><refsect2><para> #: include/ldap_id_mapping.xml:61 msgid "" "Active Directory provides an objectSID for every user and group object in " "the directory. This objectSID can be broken up into components that " "represent the Active Directory domain identity and the relative identifier " "(RID) of the user or group object." msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/ldap_id_mapping.xml:67 msgid "" "The SSSD ID-mapping algorithm takes a range of available UIDs and divides it " "into equally-sized component sections - called \"slices\"-. Each slice " "represents the space available to an Active Directory domain." msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/ldap_id_mapping.xml:73 msgid "" "When a user or group entry for a particular domain is encountered for the " "first time, the SSSD allocates one of the available slices for that domain. " "In order to make this slice-assignment repeatable on different client " "machines, we select the slice based on the following algorithm:" msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/ldap_id_mapping.xml:80 msgid "" "The SID string is passed through the murmurhash3 algorithm to convert it to " "a 32-bit hashed value. We then take the modulus of this value with the total " "number of available slices to pick the slice." msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/ldap_id_mapping.xml:86 msgid "" "NOTE: It is possible to encounter collisions in the hash and subsequent " "modulus. In these situations, we will select the next available slice, but " "it may not be possible to reproduce the same exact set of slices on other " "machines (since the order that they are encountered will determine their " "slice). In this situation, it is recommended to either switch to using " "explicit POSIX attributes in Active Directory (disabling ID-mapping) or " "configure a default domain to guarantee that at least one is always " "consistent. See <quote>Configuration</quote> for details." msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/ldap_id_mapping.xml:101 msgid "" "Minimum configuration (in the <quote>[domain/DOMAINNAME]</quote> section):" msgstr "" #. type: Content of: <refsect1><refsect2><para><programlisting> #: include/ldap_id_mapping.xml:106 #, no-wrap msgid "" "ldap_id_mapping = True\n" "ldap_schema = ad\n" msgstr "" "ldap_id_mapping = True\n" "ldap_schema = ad\n" #. type: Content of: <refsect1><refsect2><para> #: include/ldap_id_mapping.xml:111 msgid "" "The default configuration results in configuring 10,000 slices, each capable " "of holding up to 200,000 IDs, starting from 200,000 and going up to " "2,000,200,000. This should be sufficient for most deployments." msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><title> #: include/ldap_id_mapping.xml:117 msgid "Advanced Configuration" msgstr "Pokročilé nastavení" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> #: include/ldap_id_mapping.xml:120 msgid "ldap_idmap_range_min (integer)" msgstr "ldap_idmap_range_min (celé číslo)" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:123 msgid "" "Specifies the lower (inclusive) bound of the range of POSIX IDs to use for " "mapping Active Directory user and group SIDs. It is the first POSIX ID which " "can be used for the mapping." msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:129 msgid "" "NOTE: This option is different from <quote>min_id</quote> in that " "<quote>min_id</quote> acts to filter the output of requests to this domain, " "whereas this option controls the range of ID assignment. This is a subtle " "distinction, but the good general advice would be to have <quote>min_id</" "quote> be less-than or equal to <quote>ldap_idmap_range_min</quote>" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:139 include/ldap_id_mapping.xml:197 msgid "Default: 200000" msgstr "Výchozí: 200000" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> #: include/ldap_id_mapping.xml:144 msgid "ldap_idmap_range_max (integer)" msgstr "ldap_idmap_range_max (celé číslo)" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:147 msgid "" "Specifies the upper (exclusive) bound of the range of POSIX IDs to use for " "mapping Active Directory user and group SIDs. It is the first POSIX ID which " "cannot be used for the mapping anymore, i.e. one larger than the last one " "which can be used for the mapping." msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:155 msgid "" "NOTE: This option is different from <quote>max_id</quote> in that " "<quote>max_id</quote> acts to filter the output of requests to this domain, " "whereas this option controls the range of ID assignment. This is a subtle " "distinction, but the good general advice would be to have <quote>max_id</" "quote> be greater-than or equal to <quote>ldap_idmap_range_max</quote>" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:165 msgid "Default: 2000200000" msgstr "Výchozí: 2000200000" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> #: include/ldap_id_mapping.xml:170 msgid "ldap_idmap_range_size (integer)" msgstr "ldap_idmap_range_size (celé číslo)" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:173 msgid "" "Specifies the number of IDs available for each slice. If the range size " "does not divide evenly into the min and max values, it will create as many " "complete slices as it can." msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:179 msgid "" "NOTE: The value of this option must be at least as large as the highest user " "RID planned for use on the Active Directory server. User lookups and login " "will fail for any user whose RID is greater than this value." msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:185 msgid "" "For example, if your most recently-added Active Directory user has " "objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107, " "<quote>ldap_idmap_range_size</quote> must be at least 1108 as range size is " "equal to maximal SID minus minimal SID plus one (e.g. 1108 = 1107 - 0 + 1)." msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:192 msgid "" "It is important to plan ahead for future expansion, as changing this value " "will result in changing all of the ID mappings on the system, leading to " "users with different local IDs than they previously had." msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> #: include/ldap_id_mapping.xml:202 msgid "ldap_idmap_default_domain_sid (string)" msgstr "ldap_idmap_default_domain_sid (řetězec)" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:205 msgid "" "Specify the domain SID of the default domain. This will guarantee that this " "domain will always be assigned to slice zero in the ID map, bypassing the " "murmurhash algorithm described above." msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> #: include/ldap_id_mapping.xml:216 msgid "ldap_idmap_default_domain (string)" msgstr "ldap_idmap_default_domain (řetězec)" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:219 msgid "Specify the name of the default domain." msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> #: include/ldap_id_mapping.xml:227 msgid "ldap_idmap_autorid_compat (boolean)" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:230 msgid "" "Changes the behavior of the ID-mapping algorithm to behave more similarly to " "winbind's <quote>idmap_autorid</quote> algorithm." msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:235 msgid "" "When this option is configured, domains will be allocated starting with " "slice zero and increasing monotonically with each additional domain." msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:240 msgid "" "NOTE: This algorithm is non-deterministic (it depends on the order that " "users and groups are requested). If this mode is required for compatibility " "with machines running winbind, it is recommended to also use the " "<quote>ldap_idmap_default_domain_sid</quote> option to guarantee that at " "least one domain is consistently allocated to slice zero." msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> #: include/ldap_id_mapping.xml:255 msgid "ldap_idmap_helper_table_size (integer)" msgstr "ldap_idmap_helper_table_size (celé číslo)" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:258 msgid "" "Maximal number of secondary slices that is tried when performing mapping " "from UNIX id to SID." msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:262 msgid "" "Note: Additional secondary slices might be generated when SID is being " "mapped to UNIX id and RID part of SID is out of range for secondary slices " "generated so far. If value of ldap_idmap_helper_table_size is equal to 0 " "then no additional secondary slices are generated." msgstr "" #. type: Content of: <refsect1><refsect2><title> #: include/ldap_id_mapping.xml:279 msgid "Well-Known SIDs" msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/ldap_id_mapping.xml:281 msgid "" "SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a " "special hardcoded meaning. Since the generic users and groups related to " "those Well-Known SIDs have no equivalent in a Linux/UNIX environment no " "POSIX IDs are available for those objects." msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/ldap_id_mapping.xml:287 msgid "" "The SID name space is organized in authorities which can be seen as " "different domains. The authorities for the Well-Known SIDs are" msgstr "" #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> #: include/ldap_id_mapping.xml:290 msgid "Null Authority" msgstr "" #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> #: include/ldap_id_mapping.xml:291 msgid "World Authority" msgstr "" #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> #: include/ldap_id_mapping.xml:292 msgid "Local Authority" msgstr "" #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> #: include/ldap_id_mapping.xml:293 msgid "Creator Authority" msgstr "" #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> #: include/ldap_id_mapping.xml:294 msgid "Mandatory Label Authority" msgstr "" #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> #: include/ldap_id_mapping.xml:295 msgid "Authentication Authority" msgstr "" #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> #: include/ldap_id_mapping.xml:296 msgid "NT Authority" msgstr "" #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> #: include/ldap_id_mapping.xml:297 msgid "Built-in" msgstr "Vestavěné" #. type: Content of: <refsect1><refsect2><para> #: include/ldap_id_mapping.xml:299 msgid "" "The capitalized version of these names are used as domain names when " "returning the fully qualified name of a Well-Known SID." msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/ldap_id_mapping.xml:303 msgid "" "Since some utilities allow to modify SID based access control information " "with the help of a name instead of using the SID directly SSSD supports to " "look up the SID by the name as well. To avoid collisions only the fully " "qualified names can be used to look up Well-Known SIDs. As a result the " "domain names <quote>NULL AUTHORITY</quote>, <quote>WORLD AUTHORITY</quote>, " "<quote>LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, " "<quote>MANDATORY LABEL AUTHORITY</quote>, <quote>AUTHENTICATION AUTHORITY</" "quote>, <quote>NT AUTHORITY</quote> and <quote>BUILTIN</quote> should not be " "used as domain names in <filename>sssd.conf</filename>." msgstr "" #. type: Content of: <varlistentry><term> #: include/param_help.xml:3 msgid "<option>-?</option>,<option>--help</option>" msgstr "<option>-?</option>,<option>--help</option>" #. type: Content of: <varlistentry><listitem><para> #: include/param_help.xml:7 include/param_help_py.xml:7 msgid "Display help message and exit." msgstr "Zobraz nápovědu a ukonči program." #. type: Content of: <varlistentry><term> #: include/param_help_py.xml:3 msgid "<option>-h</option>,<option>--help</option>" msgstr "<option>-h</option>,<option>--help</option>" #. type: Content of: <listitem><para> #: include/debug_levels.xml:3 include/debug_levels_tools.xml:3 msgid "" "SSSD supports two representations for specifying the debug level. The " "simplest is to specify a decimal value from 0-9, which represents enabling " "that level and all lower-level debug messages. The more comprehensive option " "is to specify a hexadecimal bitmask to enable or disable specific levels " "(such as if you wish to suppress a level)." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:10 msgid "" "Please note that each SSSD service logs into its own log file. Also please " "note that enabling <quote>debug_level</quote> in the <quote>[sssd]</quote> " "section only enables debugging just for the sssd process itself, not for the " "responder or provider processes. The <quote>debug_level</quote> parameter " "should be added to all sections that you wish to produce debug logs from." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:18 msgid "" "In addition to changing the log level in the config file using the " "<quote>debug_level</quote> parameter, which is persistent, but requires SSSD " "restart, it is also possible to change the debug level on the fly using the " "<citerefentry> <refentrytitle>sss_debuglevel</refentrytitle> <manvolnum>8</" "manvolnum> </citerefentry> tool." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:29 include/debug_levels_tools.xml:10 msgid "Currently supported debug levels:" msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:32 include/debug_levels_tools.xml:13 msgid "" "<emphasis>0</emphasis>, <emphasis>0x0010</emphasis>: Fatal failures. " "Anything that would prevent SSSD from starting up or causes it to cease " "running." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:38 include/debug_levels_tools.xml:19 msgid "" "<emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Critical failures. An " "error that doesn't kill SSSD, but one that indicates that at least one major " "feature is not going to work properly." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:45 include/debug_levels_tools.xml:26 msgid "" "<emphasis>2</emphasis>, <emphasis>0x0040</emphasis>: Serious failures. An " "error announcing that a particular request or operation has failed." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:50 include/debug_levels_tools.xml:31 msgid "" "<emphasis>3</emphasis>, <emphasis>0x0080</emphasis>: Minor failures. These " "are the errors that would percolate down to cause the operation failure of 2." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:55 include/debug_levels_tools.xml:36 msgid "" "<emphasis>4</emphasis>, <emphasis>0x0100</emphasis>: Configuration settings." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:59 include/debug_levels_tools.xml:40 msgid "<emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: Function data." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:63 include/debug_levels_tools.xml:44 msgid "" "<emphasis>6</emphasis>, <emphasis>0x0400</emphasis>: Trace messages for " "operation functions." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:67 include/debug_levels_tools.xml:48 msgid "" "<emphasis>7</emphasis>, <emphasis>0x1000</emphasis>: Trace messages for " "internal control functions." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:72 include/debug_levels_tools.xml:53 msgid "" "<emphasis>8</emphasis>, <emphasis>0x2000</emphasis>: Contents of function-" "internal variables that may be interesting." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:77 include/debug_levels_tools.xml:58 msgid "" "<emphasis>9</emphasis>, <emphasis>0x4000</emphasis>: Extremely low-level " "tracing information." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:81 msgid "" "<emphasis>9</emphasis>, <emphasis>0x20000</emphasis>: Performance and " "statistical data, please note that due to the way requests are processed " "internally the logged execution time of a request might be longer than it " "actually was." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:88 include/debug_levels_tools.xml:62 msgid "" "<emphasis>10</emphasis>, <emphasis>0x10000</emphasis>: Even more low-level " "libldb tracing information. Almost never really required." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:93 include/debug_levels_tools.xml:67 msgid "" "To log required bitmask debug levels, simply add their numbers together as " "shown in following examples:" msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:97 include/debug_levels_tools.xml:71 msgid "" "<emphasis>Example</emphasis>: To log fatal failures, critical failures, " "serious failures and function data use 0x0270." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:101 include/debug_levels_tools.xml:75 msgid "" "<emphasis>Example</emphasis>: To log fatal failures, configuration settings, " "function data, trace messages for internal control functions use 0x1310." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:106 include/debug_levels_tools.xml:80 msgid "" "<emphasis>Note</emphasis>: The bitmask format of debug levels was introduced " "in 1.7.0." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:110 include/debug_levels_tools.xml:84 msgid "" "<emphasis>Default</emphasis>: 0x0070 (i.e. fatal, critical and serious " "failures; corresponds to setting 2 in decimal notation)" msgstr "" #. type: Content of: <refsect1><title> #: include/local.xml:2 msgid "THE LOCAL DOMAIN" msgstr "" #. type: Content of: <refsect1><para> #: include/local.xml:4 msgid "" "In order to function correctly, a domain with <quote>id_provider=local</" "quote> must be created and the SSSD must be running." msgstr "" #. type: Content of: <refsect1><para> #: include/local.xml:9 msgid "" "The administrator might want to use the SSSD local users instead of " "traditional UNIX users in cases where the group nesting (see <citerefentry> " "<refentrytitle>sss_groupadd</refentrytitle> <manvolnum>8</manvolnum> </" "citerefentry>) is needed. The local users are also useful for testing and " "development of the SSSD without having to deploy a full remote server. The " "<command>sss_user*</command> and <command>sss_group*</command> tools use a " "local LDB storage to store users and groups." msgstr "" #. type: Content of: <refsect1><para> #: include/seealso.xml:4 msgid "" "<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" "citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" "refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" "citerefentry>, <citerefentry> <refentrytitle>sssd-ldap-attributes</" "refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle><manvolnum>5</manvolnum> </" "citerefentry>, <citerefentry> <refentrytitle>sssd-simple</" "refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " "<refentrytitle>sssd-ipa</refentrytitle><manvolnum>5</manvolnum> </" "citerefentry>, <citerefentry> <refentrytitle>sssd-ad</" "refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <phrase " "condition=\"with_files_provider\"> <citerefentry> <refentrytitle>sssd-files</" "refentrytitle><manvolnum>5</manvolnum> </citerefentry>, </phrase> <phrase " "condition=\"with_sudo\"> <citerefentry> <refentrytitle>sssd-sudo</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>, </phrase> " "<citerefentry> <refentrytitle>sssd-session-recording</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " "<refentrytitle>sss_cache</refentrytitle><manvolnum>8</manvolnum> </" "citerefentry>, <citerefentry> <refentrytitle>sss_debuglevel</" "refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " "<refentrytitle>sss_obfuscate</refentrytitle><manvolnum>8</manvolnum> </" "citerefentry>, <citerefentry> <refentrytitle>sss_seed</" "refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " "<refentrytitle>sssd_krb5_locator_plugin</refentrytitle><manvolnum>8</" "manvolnum> </citerefentry>, <phrase condition=\"with_ssh\"> <citerefentry> " "<refentrytitle>sss_ssh_authorizedkeys</refentrytitle> <manvolnum>8</" "manvolnum> </citerefentry>, <citerefentry> " "<refentrytitle>sss_ssh_knownhostsproxy</refentrytitle> <manvolnum>8</" "manvolnum> </citerefentry>, </phrase> <phrase condition=\"with_ifp\"> " "<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry>, </phrase> <citerefentry> <refentrytitle>pam_sss</" "refentrytitle><manvolnum>8</manvolnum> </citerefentry>. <citerefentry> " "<refentrytitle>sss_rpcidmapd</refentrytitle> <manvolnum>5</manvolnum> </" "citerefentry> <phrase condition=\"with_stap\"> <citerefentry> " "<refentrytitle>sssd-systemtap</refentrytitle> <manvolnum>5</manvolnum> </" "citerefentry> </phrase>" msgstr "" #. type: Content of: <listitem><para> #: include/ldap_search_bases.xml:3 msgid "" "An optional base DN, search scope and LDAP filter to restrict LDAP searches " "for this attribute type." msgstr "" #. type: Content of: <listitem><para><programlisting> #: include/ldap_search_bases.xml:9 #, no-wrap msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]\n" msgstr "search_base[?scope?[filter][?search_base?scope?[filter]]*]\n" #. type: Content of: <listitem><para> #: include/ldap_search_bases.xml:7 msgid "syntax: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "syntaxe: <placeholder type=\"programlisting\" id=\"0\"/>" #. type: Content of: <listitem><para> #: include/ldap_search_bases.xml:13 msgid "" "The scope can be one of \"base\", \"onelevel\" or \"subtree\". The scope " "functions as specified in section 4.5.1.2 of http://tools.ietf.org/html/" "rfc4511" msgstr "" #. type: Content of: <listitem><para> #: include/ldap_search_bases.xml:23 msgid "" "For examples of this syntax, please refer to the <quote>ldap_search_base</" "quote> examples section." msgstr "" #. type: Content of: <listitem><para> #: include/ldap_search_bases.xml:31 msgid "" "Please note that specifying scope or filter is not supported for searches " "against an Active Directory Server that might yield a large number of " "results and trigger the Range Retrieval extension in the response." msgstr "" #. type: Content of: <para> #: include/autofs_restart.xml:2 msgid "" "Please note that the automounter only reads the master map on startup, so if " "any autofs-related changes are made to the sssd.conf, you typically also " "need to restart the automounter daemon after restarting the SSSD." msgstr "" #. type: Content of: <varlistentry><term> #: include/override_homedir.xml:2 msgid "override_homedir (string)" msgstr "override_homedir (řetězec)" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: include/override_homedir.xml:16 msgid "UID number" msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: include/override_homedir.xml:20 msgid "domain name" msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> #: include/override_homedir.xml:23 msgid "%f" msgstr "%f" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: include/override_homedir.xml:24 msgid "fully qualified user name (user@domain)" msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> #: include/override_homedir.xml:27 msgid "%l" msgstr "%l" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: include/override_homedir.xml:28 msgid "The first letter of the login name." msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: include/override_homedir.xml:32 msgid "UPN - User Principal Name (name@REALM)" msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> #: include/override_homedir.xml:35 msgid "%o" msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: include/override_homedir.xml:37 msgid "The original home directory retrieved from the identity provider." msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: include/override_homedir.xml:44 msgid "" "The original home directory retrieved from the identity provider, but in " "lower case." msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> #: include/override_homedir.xml:49 msgid "%H" msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: include/override_homedir.xml:51 msgid "The value of configure option <emphasis>homedir_substring</emphasis>." msgstr "" #. type: Content of: <varlistentry><listitem><para> #: include/override_homedir.xml:5 msgid "" "Override the user's home directory. You can either provide an absolute value " "or a template. In the template, the following sequences are substituted: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <varlistentry><listitem><para> #: include/override_homedir.xml:63 msgid "This option can also be set per-domain." msgstr "" #. type: Content of: <varlistentry><listitem><para><programlisting> #: include/override_homedir.xml:68 #, no-wrap msgid "" "override_homedir = /home/%u\n" " " msgstr "" #. type: Content of: <varlistentry><listitem><para> #: include/override_homedir.xml:72 msgid "Default: Not set (SSSD will use the value retrieved from LDAP)" msgstr "" #. type: Content of: <varlistentry><listitem><para> #: include/override_homedir.xml:76 msgid "" "Please note, the home directory from a specific override for the user, " "either locally (see <citerefentry><refentrytitle>sss_override</" "refentrytitle> <manvolnum>8</manvolnum></citerefentry>) or centrally managed " "IPA id-overrides, has a higher precedence and will be used instead of the " "value given by override_homedir." msgstr "" #. type: Content of: <varlistentry><term> #: include/homedir_substring.xml:2 msgid "homedir_substring (string)" msgstr "" #. type: Content of: <varlistentry><listitem><para> #: include/homedir_substring.xml:5 msgid "" "The value of this option will be used in the expansion of the " "<emphasis>override_homedir</emphasis> option if the template contains the " "format string <emphasis>%H</emphasis>. An LDAP directory entry can directly " "contain this template so that this option can be used to expand the home " "directory path for each client machine (or operating system). It can be set " "per-domain or globally in the [nss] section. A value specified in a domain " "section will override one set in the [nss] section." msgstr "" #. type: Content of: <varlistentry><listitem><para> #: include/homedir_substring.xml:15 msgid "Default: /home" msgstr "" #. type: Content of: <refsect1><title> #: include/ad_modified_defaults.xml:2 include/ipa_modified_defaults.xml:2 msgid "MODIFIED DEFAULT OPTIONS" msgstr "" #. type: Content of: <refsect1><para> #: include/ad_modified_defaults.xml:4 msgid "" "Certain option defaults do not match their respective backend provider " "defaults, these option names and AD provider-specific defaults are listed " "below:" msgstr "" #. type: Content of: <refsect1><refsect2><title> #: include/ad_modified_defaults.xml:9 include/ipa_modified_defaults.xml:9 msgid "KRB5 Provider" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:13 include/ipa_modified_defaults.xml:13 msgid "krb5_validate = true" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:18 msgid "krb5_use_enterprise_principal = true" msgstr "" #. type: Content of: <refsect1><refsect2><title> #: include/ad_modified_defaults.xml:24 msgid "LDAP Provider" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:28 msgid "ldap_schema = ad" msgstr "ldap_schema = ad" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:33 include/ipa_modified_defaults.xml:38 msgid "ldap_force_upper_case_realm = true" msgstr "ldap_force_upper_case_realm = true" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:38 msgid "ldap_id_mapping = true" msgstr "ldap_id_mapping = true" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:43 msgid "ldap_sasl_mech = GSS-SPNEGO" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:48 msgid "ldap_referrals = false" msgstr "ldap_referrals = false" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:53 msgid "ldap_account_expire_policy = ad" msgstr "ldap_account_expire_policy = ad" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:58 include/ipa_modified_defaults.xml:58 msgid "ldap_use_tokengroups = true" msgstr "ldap_use_tokengroups = true" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:63 msgid "ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM)" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:66 msgid "" "The AD provider looks for a different principal than the LDAP provider by " "default, because in an Active Directory environment the principals are " "divided into two groups - User Principals and Service Principals. Only User " "Principal can be used to obtain a TGT and by default, computer object's " "principal is constructed from its sAMAccountName and the AD realm. The well-" "known host/hostname@REALM principal is a Service Principal and thus cannot " "be used to get a TGT with." msgstr "" #. type: Content of: <refsect1><refsect2><title> #: include/ad_modified_defaults.xml:80 msgid "NSS configuration" msgstr "Nastavení NSS" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:84 msgid "fallback_homedir = /home/%d/%u" msgstr "fallback_homedir = /home/%d/%u" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:87 msgid "" "The AD provider automatically sets \"fallback_homedir = /home/%d/%u\" to " "provide personal home directories for users without the homeDirectory " "attribute. If your AD Domain is properly populated with Posix attributes, " "and you want to avoid this fallback behavior, you can explicitly set " "\"fallback_homedir = %o\"." msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:96 msgid "" "Note that the system typically expects a home directory in /home/%u folder. " "If you decide to use a different directory structure, some other parts of " "your system may need adjustments." msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:102 msgid "" "For example automated creation of home directories in combination with " "selinux requires selinux adjustment, otherwise the home directory will be " "created with wrong selinux context." msgstr "" #. type: Content of: <refsect1><para> #: include/ipa_modified_defaults.xml:4 msgid "" "Certain option defaults do not match their respective backend provider " "defaults, these option names and IPA provider-specific defaults are listed " "below:" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:18 msgid "krb5_use_fast = try" msgstr "krb5_use_fast = try" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:23 msgid "krb5_canonicalize = true" msgstr "krb5_canonicalize = true" #. type: Content of: <refsect1><refsect2><title> #: include/ipa_modified_defaults.xml:29 msgid "LDAP Provider - General" msgstr "LDAP poskytovatel – obecné" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:33 msgid "ldap_schema = ipa_v1" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:43 msgid "ldap_sasl_mech = GSSAPI" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:48 msgid "ldap_sasl_minssf = 56" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:53 msgid "ldap_account_expire_policy = ipa" msgstr "" #. type: Content of: <refsect1><refsect2><title> #: include/ipa_modified_defaults.xml:64 msgid "LDAP Provider - User options" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:68 msgid "ldap_user_member_of = memberOf" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:73 msgid "ldap_user_uuid = ipaUniqueID" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:78 msgid "ldap_user_ssh_public_key = ipaSshPubKey" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:83 msgid "ldap_user_auth_type = ipaUserAuthType" msgstr "" #. type: Content of: <refsect1><refsect2><title> #: include/ipa_modified_defaults.xml:89 msgid "LDAP Provider - Group options" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:93 msgid "ldap_group_object_class = ipaUserGroup" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:98 msgid "ldap_group_object_class_alt = posixGroup" msgstr "ldap_group_object_class_alt = posixGroup" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:103 msgid "ldap_group_member = member" msgstr "ldap_group_member = member" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:108 msgid "ldap_group_uuid = ipaUniqueID" msgstr "ldap_group_uuid = ipaUniqueID" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:113 msgid "ldap_group_objectsid = ipaNTSecurityIdentifier" msgstr "ldap_group_objectsid = ipaNTSecurityIdentifier" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:118 msgid "ldap_group_external_member = ipaExternalMember" msgstr "ldap_group_external_member = ipaExternalMember" #. type: Content of: <variablelist><varlistentry><term> #: include/krb5_options.xml:3 msgid "krb5_auth_timeout (integer)" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:6 msgid "" "Timeout in seconds after an online authentication request or change password " "request is aborted. If possible, the authentication request is continued " "offline." msgstr "" #. type: Content of: <variablelist><varlistentry><term> #: include/krb5_options.xml:17 msgid "krb5_validate (boolean)" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:20 msgid "" "Verify with the help of krb5_keytab that the TGT obtained has not been " "spoofed. The keytab is checked for entries sequentially, and the first entry " "with a matching realm is used for validation. If no entry matches the realm, " "the last entry in the keytab is used. This process can be used to validate " "environments using cross-realm trust by placing the appropriate keytab entry " "as the last entry or the only entry in the keytab file." msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:29 msgid "Default: false (IPA and AD provider: true)" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:32 msgid "" "Please note that the ticket validation is the first step when checking the " "PAC (see 'pac_check' in the <citerefentry> <refentrytitle>sssd.conf</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page for " "details). If ticket validation is disabled the PAC checks will be skipped as " "well." msgstr "" #. type: Content of: <variablelist><varlistentry><term> #: include/krb5_options.xml:44 msgid "krb5_renewable_lifetime (string)" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:47 msgid "" "Request a renewable ticket with a total lifetime, given as an integer " "immediately followed by a time unit:" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:52 include/krb5_options.xml:86 #: include/krb5_options.xml:123 msgid "<emphasis>s</emphasis> for seconds" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:55 include/krb5_options.xml:89 #: include/krb5_options.xml:126 msgid "<emphasis>m</emphasis> for minutes" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:58 include/krb5_options.xml:92 #: include/krb5_options.xml:129 msgid "<emphasis>h</emphasis> for hours" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:61 include/krb5_options.xml:95 #: include/krb5_options.xml:132 msgid "<emphasis>d</emphasis> for days." msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:64 include/krb5_options.xml:135 msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:68 include/krb5_options.xml:139 msgid "" "NOTE: It is not possible to mix units. To set the renewable lifetime to one " "and a half hours, use '90m' instead of '1h30m'." msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:73 msgid "Default: not set, i.e. the TGT is not renewable" msgstr "" #. type: Content of: <variablelist><varlistentry><term> #: include/krb5_options.xml:79 msgid "krb5_lifetime (string)" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:82 msgid "" "Request ticket with a lifetime, given as an integer immediately followed by " "a time unit:" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:98 msgid "If there is no unit given <emphasis>s</emphasis> is assumed." msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:102 msgid "" "NOTE: It is not possible to mix units. To set the lifetime to one and a " "half hours please use '90m' instead of '1h30m'." msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:107 msgid "" "Default: not set, i.e. the default ticket lifetime configured on the KDC." msgstr "" #. type: Content of: <variablelist><varlistentry><term> #: include/krb5_options.xml:114 msgid "krb5_renew_interval (string)" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:117 msgid "" "The time in seconds between two checks if the TGT should be renewed. TGTs " "are renewed if about half of their lifetime is exceeded, given as an integer " "immediately followed by a time unit:" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:144 msgid "If this option is not set or is 0 the automatic renewal is disabled." msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:157 msgid "" "Specifies if the host and user principal should be canonicalized. This " "feature is available with MIT Kerberos 1.7 and later versions." msgstr "" #~ msgid "sss_groupdel" #~ msgstr "sss_groupdel" #~ msgid "delete a group" #~ msgstr "vymazat skupinu" #~ msgid "" #~ "<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" #~ "replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" #~ "arg>" #~ msgstr "" #~ "<command>sss_groupdel</command> <arg choice='opt'> <replaceable>volby</" #~ "replaceable> </arg> <arg choice='plain'><replaceable>SKUPINA</" #~ "replaceable></arg>" #~ msgid "" #~ "<command>sss_groupdel</command> deletes a group identified by its name " #~ "<replaceable>GROUP</replaceable> from the system." #~ msgstr "" #~ "<command>sss_groupdel</command> odstraní ze systému skupinu určenou jejím " #~ "jménem<replaceable>SKUPINA</replaceable>."

# SOME DESCRIPTIVE TITLE # Copyright (C) YEAR Red Hat # This file is distributed under the same license as the sssd-docs package. # # Translators: # sgallagh , 2011 # Zdenek , 2017. #zanata # Pavel Borecki , 2019. #zanata msgid "" msgstr "" "Project-Id-Version: sssd-docs 2.3.0\n" "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" "POT-Creation-Date: 2024-05-16 13:37+0200\n" "PO-Revision-Date: 2022-05-20 09:18+0000\n" "Last-Translator: Pavel Borecki \n" "Language-Team: Czech \n" "Language: cs\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "Plural-Forms: nplurals=3; plural=(n==1) ? 0 : (n>=2 && n<=4) ? 1 : 2;\n" "X-Generator: Weblate 4.12.2\n" #. type: Content of: #: sssd.conf.5.xml:8 sssd-ldap.5.xml:5 pam_sss.8.xml:5 pam_sss_gss.8.xml:5 #: sssd_krb5_locator_plugin.8.xml:5 sssd-simple.5.xml:5 sss-certmap.5.xml:5 #: sssd-ipa.5.xml:5 sssd-ad.5.xml:5 sssd-sudo.5.xml:5 sssd.8.xml:5 #: sss_obfuscate.8.xml:5 sss_override.8.xml:5 sssd-krb5.5.xml:5 #: sss_cache.8.xml:5 sss_debuglevel.8.xml:5 sss_seed.8.xml:5 sssd-ifp.5.xml:5 #: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5 #: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5 #: sssd-files.5.xml:5 sssd-session-recording.5.xml:5 sssd-kcm.8.xml:5 #: sssd-systemtap.5.xml:5 sssd-ldap-attributes.5.xml:5 #: sssd_krb5_localauth_plugin.8.xml:5 msgid "SSSD Manual pages" msgstr "Manuálové stránky SSSD" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssd.conf.5.xml:13 sssd.conf.5.xml:19 msgid "sssd.conf" msgstr "sssd.conf" # auto translated by TM merge from project: Fedora Elections Guide, version: # master, DocId: Methods #. type: Content of: <reference><refentry><refmeta><manvolnum> #: sssd.conf.5.xml:14 sssd-ldap.5.xml:11 sssd-simple.5.xml:11 #: sss-certmap.5.xml:11 sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 #: sssd-krb5.5.xml:11 sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27 #: sssd-files.5.xml:11 sssd-session-recording.5.xml:11 sssd-systemtap.5.xml:11 #: sssd-ldap-attributes.5.xml:11 msgid "5" msgstr "5" #. type: Content of: <reference><refentry><refmeta><refmiscinfo> #: sssd.conf.5.xml:15 sssd-ldap.5.xml:12 sssd-simple.5.xml:12 #: sss-certmap.5.xml:12 sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 #: sssd-krb5.5.xml:12 sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28 #: sssd-files.5.xml:12 sssd-session-recording.5.xml:12 sssd-kcm.8.xml:12 #: sssd-systemtap.5.xml:12 sssd-ldap-attributes.5.xml:12 msgid "File Formats and Conventions" msgstr "Formáty souborů a konvence" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sssd.conf.5.xml:20 msgid "the configuration file for SSSD" msgstr "soubor s nastaveními pro SSSD" #. type: Content of: <reference><refentry><refsect1><title> #: sssd.conf.5.xml:24 msgid "FILE FORMAT" msgstr "FORMÁT SOUBORU" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd.conf.5.xml:32 #, no-wrap msgid "" "<replaceable>[section]</replaceable>\n" "<replaceable>key</replaceable> = <replaceable>value</replaceable>\n" "<replaceable>key2</replaceable> = <replaceable>value2,value3</replaceable>\n" " " msgstr "" "<replaceable>[sekce]</replaceable>\n" "<replaceable>klíč</replaceable> = <replaceable>hodnota</replaceable>\n" "<replaceable>klíč2</replaceable> = <replaceable>hodnota2,hodnota3</replaceable>\n" " " #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:27 msgid "" "The file has an ini-style syntax and consists of sections and parameters. A " "section begins with the name of the section in square brackets and continues " "until the next section begins. An example of section with single and multi-" "valued parameters: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" "Forma zápisu v souboru je ve stylu ini a sestává se ze sekcí a parametrů. " "Sekce začíná jejím názvem (v hranatých závorkách) a pokračuje až po začátek " "následující sekce. Příklad jedné sekce s jedno a vícehodnotovými parametry: " "<placeholder type=\"programlisting\" id=\"0\"/>" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:39 msgid "" "The data types used are string (no quotes needed), integer and bool (with " "values of <quote>TRUE/FALSE</quote>)." msgstr "" "Používané datové typy jsou řetězce (není třeba obklopovat uvozovkami), celá " "čísla bolean (s hodnotami <quote>TRUE/FALSE</quote>)." #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:44 msgid "" "A comment line starts with a hash sign (<quote>#</quote>) or a semicolon " "(<quote>;</quote>). Inline comments are not supported." msgstr "" "Řádek s komentářem začíná na znak # (křížek) (<quote>#</quote>) nebo " "středník (<quote>;</quote>). Komentáře v rámci řádku nejsou podporovány." #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:50 msgid "" "All sections can have an optional <replaceable>description</replaceable> " "parameter. Its function is only as a label for the section." msgstr "" "Všechny sekce mohou mít volitelný <replaceable>popis</replaceable> " "parametry. Jeho funkcí je pouze oštítkování sekce." #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:56 msgid "" "<filename>sssd.conf</filename> must be a regular file, owned by root and " "only root may read from or write to the file." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd.conf.5.xml:62 msgid "CONFIGURATION SNIPPETS FROM INCLUDE DIRECTORY" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:65 msgid "" "The configuration file <filename>sssd.conf</filename> will include " "configuration snippets using the include directory <filename>conf.d</" "filename>. This feature is available if SSSD was compiled with libini " "version 1.3.0 or later." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:72 msgid "" "Any file placed in <filename>conf.d</filename> that ends in " "<quote><filename>.conf</filename></quote> and does not begin with a dot " "(<quote>.</quote>) will be used together with <filename>sssd.conf</filename> " "to configure SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:80 msgid "" "The configuration snippets from <filename>conf.d</filename> have higher " "priority than <filename>sssd.conf</filename> and will override " "<filename>sssd.conf</filename> when conflicts occur. If several snippets are " "present in <filename>conf.d</filename>, then they are included in " "alphabetical order (based on locale). Files included later have higher " "priority. Numerical prefixes (<filename>01_snippet.conf</filename>, " "<filename>02_snippet.conf</filename> etc.) can help visualize the priority " "(higher number means higher priority)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:94 msgid "" "The snippet files require the same owner and permissions as <filename>sssd." "conf</filename>. Which are by default root:root and 0600." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd.conf.5.xml:101 msgid "GENERAL OPTIONS" msgstr "OBECNÉ VOLBY" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:103 msgid "Following options are usable in more than one configuration sections." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd.conf.5.xml:107 msgid "Options usable in all sections" msgstr "Volby použitelné ve všech sekcích" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:111 msgid "debug_level (integer)" msgstr "debug_level (celé kladné číslo)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:115 msgid "debug (integer)" msgstr "debug (celé kladné číslo)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:118 msgid "" "SSSD 1.14 and later also includes the <replaceable>debug</replaceable> alias " "for <replaceable>debug_level</replaceable> as a convenience feature. If both " "are specified, the value of <replaceable>debug_level</replaceable> will be " "used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:128 msgid "debug_timestamps (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:131 msgid "" "Add a timestamp to the debug messages. If journald is enabled for SSSD " "debug logging this option is ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:136 sssd.conf.5.xml:173 sssd.conf.5.xml:358 #: sssd.conf.5.xml:714 sssd.conf.5.xml:729 sssd.conf.5.xml:952 #: sssd.conf.5.xml:1070 sssd.conf.5.xml:2198 sssd-ldap.5.xml:1073 #: sssd-ldap.5.xml:1176 sssd-ldap.5.xml:1245 sssd-ldap.5.xml:1752 #: sssd-ldap.5.xml:1817 sssd-ipa.5.xml:347 sssd-ad.5.xml:252 sssd-ad.5.xml:366 #: sssd-ad.5.xml:1200 sssd-ad.5.xml:1353 sssd-krb5.5.xml:358 msgid "Default: true" msgstr "Výchozí: true (pravda)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:141 msgid "debug_microseconds (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:144 msgid "" "Add microseconds to the timestamp in debug messages. If journald is enabled " "for SSSD debug logging this option is ignored." msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:149 sssd.conf.5.xml:652 sssd.conf.5.xml:949 #: sssd.conf.5.xml:2101 sssd.conf.5.xml:2168 sssd.conf.5.xml:4244 #: sssd-ldap.5.xml:313 sssd-ldap.5.xml:919 sssd-ldap.5.xml:938 #: sssd-ldap.5.xml:1148 sssd-ldap.5.xml:1601 sssd-ldap.5.xml:1841 #: sssd-ipa.5.xml:152 sssd-ipa.5.xml:254 sssd-ipa.5.xml:662 sssd-ad.5.xml:1106 #: sssd-krb5.5.xml:268 sssd-krb5.5.xml:330 sssd-krb5.5.xml:432 #: include/krb5_options.xml:163 msgid "Default: false" msgstr "Výchozí: false (nepravda)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:154 msgid "debug_backtrace_enabled (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:157 msgid "Enable debug backtrace." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:160 msgid "" "In case SSSD is run with debug_level less than 9, everything is logged to a " "ring buffer in memory and flushed to a log file on any error up to and " "including `min(0x0040, debug_level)` (i.e. if debug_level is explicitly set " "to 0 or 1 then only those error levels will trigger backtrace, otherwise up " "to 2)." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:169 msgid "" "Feature is only supported for `logger == files` (i.e. setting doesn't have " "effect for other logger types)." msgstr "" #. type: Content of: outside any tag (error?) #: sssd.conf.5.xml:109 sssd.conf.5.xml:184 sssd-ldap.5.xml:1658 #: sssd-ldap.5.xml:1864 sss-certmap.5.xml:645 sssd-systemtap.5.xml:82 #: sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:236 sssd-systemtap.5.xml:274 #: sssd-systemtap.5.xml:330 sssd-ldap-attributes.5.xml:40 #: sssd-ldap-attributes.5.xml:661 sssd-ldap-attributes.5.xml:803 #: sssd-ldap-attributes.5.xml:892 sssd-ldap-attributes.5.xml:989 #: sssd-ldap-attributes.5.xml:1047 sssd-ldap-attributes.5.xml:1205 #: sssd-ldap-attributes.5.xml:1250 include/autofs_attributes.xml:1 #: include/krb5_options.xml:1 msgid "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd.conf.5.xml:182 msgid "Options usable in SERVICE and DOMAIN sections" msgstr "Volby použitelné v sekcích SERVICE a DOMAIN" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:186 msgid "timeout (integer)" msgstr "timeout (celé kladné číslo)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:189 msgid "" "Timeout in seconds between heartbeats for this service. This is used to " "ensure that the process is alive and capable of answering requests. Note " "that after three missed heartbeats the process will terminate itself." msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:196 sssd.conf.5.xml:1290 sssd.conf.5.xml:1767 #: sssd.conf.5.xml:4260 sssd-ldap.5.xml:766 include/ldap_id_mapping.xml:270 msgid "Default: 10" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd.conf.5.xml:206 msgid "SPECIAL SECTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd.conf.5.xml:209 msgid "The [sssd] section" msgstr "Sekce [sssd]" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><title> #: sssd.conf.5.xml:218 msgid "Section parameters" msgstr "Parametry sekce" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:220 msgid "config_file_version (integer)" msgstr "config_file_version (celé kladné číslo)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:223 msgid "" "Indicates what is the syntax of the config file. SSSD 0.6.0 and later use " "version 2." msgstr "" "Značí jaká je syntaxe souboru s nastaveními. SSSD 0.6.0 a novější používají " "verzi 2." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:229 msgid "services" msgstr "služby" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:232 msgid "" "Comma separated list of services that are started when sssd itself starts. " "<phrase condition=\"have_systemd\"> The services' list is optional on " "platforms where systemd is supported, as they will either be socket or D-Bus " "activated when needed. </phrase>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:241 msgid "" "Supported services: nss, pam <phrase condition=\"with_sudo\">, sudo</phrase> " "<phrase condition=\"with_autofs\">, autofs</phrase> <phrase " "condition=\"with_ssh\">, ssh</phrase> <phrase " "condition=\"with_pac_responder\">, pac</phrase> <phrase " "condition=\"with_ifp\">, ifp</phrase>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:249 msgid "" "<phrase condition=\"have_systemd\"> By default, all services are disabled " "and the administrator must enable the ones allowed to be used by executing: " "\"systemctl enable sssd-@service@.socket\". </phrase>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:258 sssd.conf.5.xml:784 msgid "reconnection_retries (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:261 sssd.conf.5.xml:787 msgid "" "Number of times services should attempt to reconnect in the event of a Data " "Provider crash or restart before they give up" msgstr "" #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:266 sssd.conf.5.xml:792 sssd.conf.5.xml:3716 #: include/failover.xml:100 msgid "Default: 3" msgstr "Výchozí: 3" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:271 msgid "domains" msgstr "domény" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:274 msgid "" "A domain is a database containing user information. SSSD can use more " "domains at the same time, but at least one must be configured or SSSD won't " "start. This parameter describes the list of domains in the order you want " "them to be queried. A domain name is recommended to contain only " "alphanumeric ASCII characters, dashes, dots and underscores. '/' character " "is forbidden." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:287 sssd.conf.5.xml:3548 msgid "re_expression (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:290 msgid "" "Default regular expression that describes how to parse the string containing " "user name and domain into these components." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:295 msgid "" "Each domain can have an individual regular expression configured. For some " "ID providers there are also default regular expressions. See DOMAIN SECTIONS " "for more info on these regular expressions." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:304 sssd.conf.5.xml:3605 msgid "full_name_format (string)" msgstr "full_name_format (řetězec)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:307 sssd.conf.5.xml:3608 msgid "" "A <citerefentry> <refentrytitle>printf</refentrytitle> <manvolnum>3</" "manvolnum> </citerefentry>-compatible format that describes how to compose a " "fully qualified name from user name and domain name components." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:318 sssd.conf.5.xml:3619 msgid "%1$s" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:319 sssd.conf.5.xml:3620 msgid "user name" msgstr "uživatelské jméno" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:322 sssd.conf.5.xml:3623 msgid "%2$s" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:325 sssd.conf.5.xml:3626 msgid "domain name as specified in the SSSD config file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:331 sssd.conf.5.xml:3632 msgid "%3$s" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:334 sssd.conf.5.xml:3635 msgid "" "domain flat name. Mostly usable for Active Directory domains, both directly " "configured or discovered via IPA trusts." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:315 sssd.conf.5.xml:3616 msgid "" "The following expansions are supported: <placeholder type=\"variablelist\" " "id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:344 msgid "" "Each domain can have an individual format string configured. See DOMAIN " "SECTIONS for more info on this option." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:350 msgid "monitor_resolv_conf (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:353 msgid "" "Controls if SSSD should monitor the state of resolv.conf to identify when it " "needs to update its internal DNS resolver." msgstr "" "Ovládá zda SSSD má sledovat stav resolv.conf a zjišťovat tak, zda je " "zapotřebí aktualizovat svůj vestavěný překlad DNS názvů." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:363 msgid "try_inotify (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:366 msgid "" "By default, SSSD will attempt to use inotify to monitor configuration files " "changes and will fall back to polling every five seconds if inotify cannot " "be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:372 msgid "" "There are some limited situations where it is preferred that we should skip " "even trying to use inotify. In these rare cases, this option should be set " "to 'false'" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:378 msgid "" "Default: true on platforms where inotify is supported. False on other " "platforms." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:382 msgid "" "Note: this option will have no effect on platforms where inotify is " "unavailable. On these platforms, polling will always be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:389 msgid "krb5_rcache_dir (string)" msgstr "krb5_rcache_dir (řetězec)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:392 msgid "" "Directory on the filesystem where SSSD should store Kerberos replay cache " "files." msgstr "" "Složka na souborovém systému kde by SSSD mělo ukládat soubory pro kerberos " "replay." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:396 msgid "" "This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct " "SSSD to let libkrb5 decide the appropriate location for the replay cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:402 msgid "" "Default: Distribution-specific and specified at build-time. " "(__LIBKRB5_DEFAULTS__ if not configured)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:409 msgid "user (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:412 msgid "" "The user to drop the privileges to where appropriate to avoid running as the " "root user. Currently the only supported value is '&sssd_user_name;'." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:419 msgid "" "This option does not work when running socket-activated services, as the " "user set up to run the processes is set up during compilation time. The way " "to override the systemd unit files is by creating the appropriate files in /" "etc/systemd/system/. Keep in mind that any change in the socket user, group " "or permissions may result in a non-usable SSSD. The same may occur in case " "of changes of the user running the NSS responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:433 msgid "Default: not set, process will run as root" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:438 msgid "default_domain_suffix (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:441 msgid "" "This string will be used as a default domain name for all names without a " "domain name component. The main use case is environments where the primary " "domain is intended for managing host policies and all users are located in a " "trusted domain. The option allows those users to log in just with their " "user name without giving a domain name as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:451 msgid "" "Please note that if this option is set all users from the primary domain " "have to use their fully qualified name, e.g. user@domain.name, to log in. " "Setting this option changes default of use_fully_qualified_names to True. It " "is not allowed to use this option together with use_fully_qualified_names " "set to False. <phrase condition=\"with_files_provider\"> One exception from " "this rule are domains with <quote>id_provider=files</quote> that always try " "to match the behaviour of nss_files and therefore their output is not " "qualified even when the default_domain_suffix option is used. </phrase>" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:468 sssd-ldap.5.xml:877 sssd-ldap.5.xml:889 #: sssd-ldap.5.xml:982 sssd-ad.5.xml:920 sssd-ad.5.xml:995 sssd-krb5.5.xml:468 #: sssd-ldap-attributes.5.xml:470 sssd-ldap-attributes.5.xml:978 #: include/ldap_id_mapping.xml:211 include/ldap_id_mapping.xml:222 #: include/krb5_options.xml:148 msgid "Default: not set" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:473 msgid "override_space (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:476 msgid "" "This parameter will replace spaces (space bar) with the given character for " "user and group names. e.g. (_). User name "john doe" will be " ""john_doe" This feature was added to help compatibility with shell " "scripts that have difficulty handling spaces, due to the default field " "separator in the shell." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:485 msgid "" "Please note it is a configuration error to use a replacement character that " "might be used in user or group names. If a name contains the replacement " "character SSSD tries to return the unmodified name but in general the result " "of a lookup is undefined." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:493 msgid "Default: not set (spaces will not be replaced)" msgstr "Výchozí: nenastaveno (mezery nebudou nahrazovány)" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:498 msgid "certificate_verification (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:506 msgid "no_ocsp" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:508 msgid "" "Disables Online Certificate Status Protocol (OCSP) checks. This might be " "needed if the OCSP servers defined in the certificate are not reachable from " "the client." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:516 msgid "soft_ocsp" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:518 msgid "" "If a connection cannot be established to an OCSP responder the OCSP check is " "skipped. This option should be used to allow authentication when the system " "is offline and the OCSP responder cannot be reached." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:528 msgid "ocsp_dgst" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:530 msgid "" "Digest (hash) function used to create the certificate ID for the OCSP " "request. Allowed values are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:534 msgid "sha1" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:535 msgid "sha256" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:536 msgid "sha384" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:537 msgid "sha512" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:540 msgid "Default: sha1 (to allow compatibility with RFC5019-compliant responder)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:546 msgid "no_verification" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:548 msgid "" "Disables verification completely. This option should only be used for " "testing." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:554 msgid "partial_chain" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:556 msgid "" "Allow verification to succeed even if a <replaceable>complete</replaceable> " "chain cannot be built to a self-signed trust-anchor, provided it is possible " "to construct a chain to a trusted certificate that might not be self-signed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:565 msgid "ocsp_default_responder=URL" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:567 msgid "" "Sets the OCSP default responder which should be used instead of the one " "mentioned in the certificate. URL must be replaced with the URL of the OCSP " "default responder e.g. http://example.com:80/ocsp." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:577 msgid "ocsp_default_responder_signing_cert=NAME" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:579 msgid "" "This option is currently ignored. All needed certificates must be available " "in the PEM file given by pam_cert_db_path." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:587 msgid "crl_file=/PATH/TO/CRL/FILE" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:589 msgid "" "Use the Certificate Revocation List (CRL) from the given file during the " "verification of the certificate. The CRL must be given in PEM format, see " "<citerefentry> <refentrytitle>crl</refentrytitle> <manvolnum>1ssl</" "manvolnum> </citerefentry> for details." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:602 msgid "soft_crl" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:605 msgid "" "If a Certificate Revocation List (CRL) is expired ignore the CRL checks for " "the related certificates. This option should be used to allow authentication " "when the system is offline and the CRL cannot be renewed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:501 msgid "" "With this parameter the certificate verification can be tuned with a comma " "separated list of options. Supported options are: <placeholder " "type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:616 msgid "Unknown options are reported but ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:619 msgid "Default: not set, i.e. do not restrict certificate verification" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:625 msgid "disable_netlink (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:628 msgid "" "SSSD hooks into the netlink interface to monitor changes to routes, " "addresses, links and trigger certain actions." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:633 msgid "" "The SSSD state changes caused by netlink events may be undesirable and can " "be disabled by setting this option to 'true'" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:638 msgid "Default: false (netlink changes are detected)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:643 msgid "enable_files_domain (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:646 msgid "" "When this option is enabled, SSSD prepends an implicit domain with " "<quote>id_provider=files</quote> before any explicitly configured domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:657 msgid "domain_resolution_order" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:660 msgid "" "Comma separated list of domains and subdomains representing the lookup order " "that will be followed. The list doesn't have to include all possible " "domains as the missing domains will be looked up based on the order they're " "presented in the <quote>domains</quote> configuration option. The " "subdomains which are not listed as part of <quote>lookup_order</quote> will " "be looked up in a random order for each parent domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:672 msgid "" "Please, note that when this option is set the output format of all commands " "is always fully-qualified even when using short names for input <phrase " "condition=\"with_files_provider\"> , for all users but the ones managed by " "the files provider </phrase>. In case the administrator wants the output " "not fully-qualified, the full_name_format option can be used as shown below: " "<quote>full_name_format=%1$s</quote> However, keep in mind that during " "login, login applications often canonicalize the username by calling " "<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" "manvolnum> </citerefentry> which, if a shortname is returned for a qualified " "input (while trying to reach a user which exists in multiple domains) might " "re-route the login attempt into the domain which uses shortnames, making " "this workaround totally not recommended in cases where usernames may overlap " "between domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:700 sssd.conf.5.xml:1791 sssd.conf.5.xml:4310 #: sssd-ad.5.xml:187 sssd-ad.5.xml:327 sssd-ad.5.xml:341 msgid "Default: Not set" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:705 msgid "implicit_pac_responder (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:708 msgid "" "The PAC responder is enabled automatically for the IPA and AD provider to " "evaluate and check the PAC. If it has to be disabled set this option to " "'false'." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:719 msgid "core_dumpable (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:722 msgid "" "This option can be used for general system hardening: setting it to 'false' " "forbids core dumps for all SSSD processes to avoid leaking plain text " "passwords. See man page prctl:PR_SET_DUMPABLE for details." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:734 msgid "passkey_verification (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:742 msgid "user_verification (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:744 msgid "" "Enable or disable the user verification (i.e. PIN, fingerprint) during " "authentication. If enabled, the PIN will always be requested." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:750 msgid "" "The default is that the key settings decide what to do. In the IPA or " "kerberos pre-authentication case, this value will be overwritten by the " "server." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:737 msgid "" "With this parameter the passkey verification can be tuned with a comma " "separated list of options. Supported options are: <placeholder " "type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd.conf.5.xml:211 msgid "" "Individual pieces of SSSD functionality are provided by special SSSD " "services that are started and stopped together with SSSD. The services are " "managed by a special service frequently called <quote>monitor</quote>. The " "<quote>[sssd]</quote> section is used to configure the monitor as well as " "some other important options like the identity domains. <placeholder " "type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd.conf.5.xml:769 msgid "SERVICES SECTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:771 msgid "" "Settings that can be used to configure different services are described in " "this section. They should reside in the [<replaceable>$NAME</replaceable>] " "section, for example, for NSS service, the section would be <quote>[nss]</" "quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd.conf.5.xml:778 msgid "General service configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd.conf.5.xml:780 msgid "These options can be used to configure any service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:797 msgid "fd_limit" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:800 msgid "" "This option specifies the maximum number of file descriptors that may be " "opened at one time by this SSSD process. On systems where SSSD is granted " "the CAP_SYS_RESOURCE capability, this will be an absolute setting. On " "systems without this capability, the resulting value will be the lower value " "of this or the limits.conf \"hard\" limit." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:809 msgid "Default: 8192 (or limits.conf \"hard\" limit)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:814 msgid "client_idle_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:817 msgid "" "This option specifies the number of seconds that a client of an SSSD process " "can hold onto a file descriptor without communicating on it. This value is " "limited in order to avoid resource exhaustion on the system. The timeout " "can't be shorter than 10 seconds. If a lower value is configured, it will be " "adjusted to 10 seconds." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:826 #, fuzzy #| msgid "Default: 200000" msgid "Default: 60, KCM: 300" msgstr "Výchozí: 200000" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:831 msgid "offline_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:834 msgid "" "When SSSD switches to offline mode the amount of time before it tries to go " "back online will increase based upon the time spent disconnected. By " "default SSSD uses incremental behaviour to calculate delay in between " "retries. So, the wait time for a given retry will be longer than the wait " "time for the previous ones. After each unsuccessful attempt to go online, " "the new interval is recalculated by the following:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:845 sssd.conf.5.xml:901 msgid "" "new_delay = Minimum(old_delay * 2, offline_timeout_max) + random[0..." "offline_timeout_random_offset]" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:848 msgid "" "The offline_timeout default value is 60. The offline_timeout_max default " "value is 3600. The offline_timeout_random_offset default value is 30. The " "end result is amount of seconds before next retry." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:854 msgid "" "Note that the maximum length of each interval is defined by " "offline_timeout_max (apart of random part)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:858 sssd.conf.5.xml:1201 sssd.conf.5.xml:1584 #: sssd.conf.5.xml:1880 sssd-ldap.5.xml:495 msgid "Default: 60" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:863 #, fuzzy #| msgid "ldap_idmap_range_max (integer)" msgid "offline_timeout_max (integer)" msgstr "ldap_idmap_range_max (celé číslo)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:866 msgid "" "Controls by how much the time between attempts to go online can be " "incremented following unsuccessful attempts to go online." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:871 msgid "A value of 0 disables the incrementing behaviour." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:874 msgid "" "The value of this parameter should be set in correlation to offline_timeout " "parameter value." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:878 msgid "" "With offline_timeout set to 60 (default value) there is no point in setting " "offlinet_timeout_max to less than 120 as it will saturate instantly. General " "rule here should be to set offline_timeout_max to at least 4 times " "offline_timeout." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:884 msgid "" "Although a value between 0 and offline_timeout may be specified, it has the " "effect of overriding the offline_timeout value so is of little use." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:889 #, fuzzy #| msgid "Default: 200000" msgid "Default: 3600" msgstr "Výchozí: 200000" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:894 #, fuzzy #| msgid "ldap_idmap_range_size (integer)" msgid "offline_timeout_random_offset (integer)" msgstr "ldap_idmap_range_size (celé číslo)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:897 msgid "" "When SSSD is in offline mode it keeps probing backend servers in specified " "time intervals:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:904 msgid "" "This parameter controls the value of the random offset used for the above " "equation. Final random_offset value will be random number in range:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:909 msgid "[0 - offline_timeout_random_offset]" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:912 msgid "A value of 0 disables the random offset addition." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:915 #, fuzzy #| msgid "Default: 200000" msgid "Default: 30" msgstr "Výchozí: 200000" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:920 msgid "responder_idle_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:923 msgid "" "This option specifies the number of seconds that an SSSD responder process " "can be up without being used. This value is limited in order to avoid " "resource exhaustion on the system. The minimum acceptable value for this " "option is 60 seconds. Setting this option to 0 (zero) means that no timeout " "will be set up to the responder. This option only has effect when SSSD is " "built with systemd support and when services are either socket or D-Bus " "activated." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:937 sssd.conf.5.xml:1214 sssd.conf.5.xml:2322 #: sssd-ldap.5.xml:332 msgid "Default: 300" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:942 msgid "cache_first" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:945 msgid "" "This option specifies whether the responder should query all caches before " "querying the Data Providers." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd.conf.5.xml:960 msgid "NSS configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd.conf.5.xml:962 msgid "" "These options can be used to configure the Name Service Switch (NSS) service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:967 msgid "enum_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:970 msgid "" "How many seconds should nss_sss cache enumerations (requests for info about " "all users)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:974 msgid "Default: 120" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:979 msgid "entry_cache_nowait_percentage (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:982 msgid "" "The entry cache can be set to automatically update entries in the background " "if they are requested beyond a percentage of the entry_cache_timeout value " "for the domain." msgstr "" "Mezipaměť položek může být nastavena na automatické aktualizování položek na " "pozadí, pokud jsou požadovány za procentem hodnoty entry_cache_timeout pro " "doménu." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:988 msgid "" "For example, if the domain's entry_cache_timeout is set to 30s and " "entry_cache_nowait_percentage is set to 50 (percent), entries that come in " "after 15 seconds past the last cache update will be returned immediately, " "but the SSSD will go and update the cache on its own, so that future " "requests will not need to block waiting for a cache update." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:998 msgid "" "Valid values for this option are 0-99 and represent a percentage of the " "entry_cache_timeout for each domain. For performance reasons, this " "percentage will never reduce the nowait timeout to less than 10 seconds. (0 " "disables this feature)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1006 sssd.conf.5.xml:2122 msgid "Default: 50" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1011 msgid "entry_negative_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1014 msgid "" "Specifies for how many seconds nss_sss should cache negative cache hits " "(that is, queries for invalid database entries, like nonexistent ones) " "before asking the back end again." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1020 sssd.conf.5.xml:1779 sssd.conf.5.xml:2146 msgid "Default: 15" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1025 msgid "local_negative_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1028 msgid "" "Specifies for how many seconds nss_sss should keep local users and groups in " "negative cache before trying to look it up in the back end again. Setting " "the option to 0 disables this feature." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1034 msgid "Default: 14400 (4 hours)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1039 msgid "filter_users, filter_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1042 msgid "" "Exclude certain users or groups from being fetched from the sss NSS " "database. This is particularly useful for system accounts. This option can " "also be set per-domain or include fully-qualified names to filter only users " "from the particular domain or by a user principal name (UPN)." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1050 msgid "" "NOTE: The filter_groups option doesn't affect inheritance of nested group " "members, since filtering happens after they are propagated for returning via " "NSS. E.g. a group having a member group filtered out will still have the " "member users of the latter listed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1058 msgid "Default: root" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1063 msgid "filter_users_in_groups (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1066 msgid "" "If you want filtered user still be group members set this option to false." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1077 msgid "fallback_homedir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1080 msgid "" "Set a default template for a user's home directory if one is not specified " "explicitly by the domain's data provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1085 msgid "" "The available values for this option are the same as for override_homedir." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> #: sssd.conf.5.xml:1091 #, no-wrap msgid "" "fallback_homedir = /home/%u\n" " " msgstr "" #. type: Content of: <varlistentry><listitem><para> #: sssd.conf.5.xml:1089 sssd.conf.5.xml:1651 sssd.conf.5.xml:1670 #: sssd.conf.5.xml:1747 sssd-krb5.5.xml:451 include/override_homedir.xml:66 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1095 msgid "Default: not set (no substitution for unset home directories)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1101 msgid "override_shell (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1104 msgid "" "Override the login shell for all users. This option supersedes any other " "shell options if it takes effect and can be set either in the [nss] section " "or per-domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1110 msgid "Default: not set (SSSD will use the value retrieved from LDAP)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1116 msgid "allowed_shells (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1119 msgid "" "Restrict user shell to one of the listed values. The order of evaluation is:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1122 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1126 msgid "" "2. If the shell is in the allowed_shells list but not in <quote>/etc/shells</" "quote>, use the value of the shell_fallback parameter." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1131 msgid "" "3. If the shell is not in the allowed_shells list and not in <quote>/etc/" "shells</quote>, a nologin shell is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1136 msgid "The wildcard (*) can be used to allow any shell." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1139 msgid "" "The (*) is useful if you want to use shell_fallback in case that user's " "shell is not in <quote>/etc/shells</quote> and maintaining list of all " "allowed shells in allowed_shells would be to much overhead." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1146 msgid "An empty string for shell is passed as-is to libc." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1149 msgid "" "The <quote>/etc/shells</quote> is only read on SSSD start up, which means " "that a restart of the SSSD is required in case a new shell is installed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1153 msgid "Default: Not set. The user shell is automatically used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1158 msgid "vetoed_shells (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1161 msgid "Replace any instance of these shells with the shell_fallback" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1166 msgid "shell_fallback (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1169 msgid "" "The default shell to use if an allowed shell is not installed on the machine." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1173 msgid "Default: /bin/sh" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1178 msgid "default_shell" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1181 msgid "" "The default shell to use if the provider does not return one during lookup. " "This option can be specified globally in the [nss] section or per-domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1187 msgid "" "Default: not set (Return NULL if no shell is specified and rely on libc to " "substitute something sensible when necessary, usually /bin/sh)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1194 sssd.conf.5.xml:1577 msgid "get_domains_timeout (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1197 sssd.conf.5.xml:1580 msgid "" "Specifies time in seconds for which the list of subdomains will be " "considered valid." msgstr "" "Určuje dobu (v sekundách) po které bude seznam dílčích domén považován za " "platný." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1206 msgid "memcache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1209 msgid "" "Specifies time in seconds for which records in the in-memory cache will be " "valid. Setting this option to zero will disable the in-memory cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1217 msgid "" "WARNING: Disabling the in-memory cache will have significant negative impact " "on SSSD's performance and should only be used for testing." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1223 sssd.conf.5.xml:1248 sssd.conf.5.xml:1273 #: sssd.conf.5.xml:1298 sssd.conf.5.xml:1325 msgid "" "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", " "client applications will not use the fast in-memory cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1231 msgid "memcache_size_passwd (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1234 msgid "" "Size (in megabytes) of the data table allocated inside fast in-memory cache " "for passwd requests. Setting the size to 0 will disable the passwd in-" "memory cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1240 sssd.conf.5.xml:2971 sssd-ldap.5.xml:549 msgid "Default: 8" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1243 sssd.conf.5.xml:1268 sssd.conf.5.xml:1293 #: sssd.conf.5.xml:1320 msgid "" "WARNING: Disabled or too small in-memory cache can have significant negative " "impact on SSSD's performance." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1256 #, fuzzy #| msgid "ldap_idmap_range_size (integer)" msgid "memcache_size_group (integer)" msgstr "ldap_idmap_range_size (celé číslo)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1259 msgid "" "Size (in megabytes) of the data table allocated inside fast in-memory cache " "for group requests. Setting the size to 0 will disable the group in-memory " "cache." msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1265 sssd.conf.5.xml:1317 sssd.conf.5.xml:3737 #: sssd-ldap.5.xml:474 sssd-ldap.5.xml:526 include/failover.xml:116 #: include/krb5_options.xml:11 msgid "Default: 6" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1281 msgid "memcache_size_initgroups (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1284 msgid "" "Size (in megabytes) of the data table allocated inside fast in-memory cache " "for initgroups requests. Setting the size to 0 will disable the initgroups " "in-memory cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1306 #, fuzzy #| msgid "ldap_idmap_range_size (integer)" msgid "memcache_size_sid (integer)" msgstr "ldap_idmap_range_size (celé číslo)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1309 msgid "" "Size (in megabytes) of the data table allocated inside fast in-memory cache " "for SID related requests. Only SID-by-ID and ID-by-SID requests are " "currently cached in fast in-memory cache. Setting the size to 0 will " "disable the SID in-memory cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.conf.5.xml:1333 sssd-ifp.5.xml:90 msgid "user_attributes (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1336 msgid "" "Some of the additional NSS responder requests can return more attributes " "than just the POSIX ones defined by the NSS interface. The list of " "attributes is controlled by this option. It is handled the same way as the " "<quote>user_attributes</quote> option of the InfoPipe responder (see " "<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry> for details) but with no default values." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1349 msgid "" "To make configuration more easy the NSS responder will check the InfoPipe " "option if it is not set for the NSS responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1354 msgid "Default: not set, fallback to InfoPipe option" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1359 msgid "pwfield (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1362 msgid "" "The value that NSS operations that return users or groups will return for " "the <quote>password</quote> field." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1367 msgid "Default: <quote>*</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1370 msgid "" "Note: This option can also be set per-domain which overwrites the value in " "[nss] section." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1374 msgid "" "Default: <quote>not set</quote> (remote domains), <phrase " "condition=\"with_files_provider\"> <quote>x</quote> (the files domain), </" "phrase> <quote>x</quote> (proxy domain with nss_files and sssd-shadowutils " "target)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd.conf.5.xml:1386 msgid "PAM configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd.conf.5.xml:1388 msgid "" "These options can be used to configure the Pluggable Authentication Module " "(PAM) service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1393 msgid "offline_credentials_expiration (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1396 msgid "" "If the authentication provider is offline, how long should we allow cached " "logins (in days since the last successful online login)." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1401 sssd.conf.5.xml:1414 msgid "Default: 0 (No limit)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1407 msgid "offline_failed_login_attempts (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1410 msgid "" "If the authentication provider is offline, how many failed login attempts " "are allowed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1420 msgid "offline_failed_login_delay (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1423 msgid "" "The time in minutes which has to pass after offline_failed_login_attempts " "has been reached before a new login attempt is possible." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1428 msgid "" "If set to 0 the user cannot authenticate offline if " "offline_failed_login_attempts has been reached. Only a successful online " "authentication can enable offline authentication again." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1434 sssd.conf.5.xml:1544 msgid "Default: 5" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1440 msgid "pam_verbosity (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1443 msgid "" "Controls what kind of messages are shown to the user during authentication. " "The higher the number to more messages are displayed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1448 msgid "Currently sssd supports the following values:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1451 msgid "<emphasis>0</emphasis>: do not show any message" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1454 msgid "<emphasis>1</emphasis>: show only important messages" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1458 msgid "<emphasis>2</emphasis>: show informational messages" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1461 msgid "<emphasis>3</emphasis>: show all messages and debug information" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1465 sssd.8.xml:63 msgid "Default: 1" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1471 msgid "pam_response_filter (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1474 msgid "" "A comma separated list of strings which allows to remove (filter) data sent " "by the PAM responder to pam_sss PAM module. There are different kind of " "responses sent to pam_sss e.g. messages displayed to the user or environment " "variables which should be set by pam_sss." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1482 msgid "" "While messages already can be controlled with the help of the pam_verbosity " "option this option allows to filter out other kind of responses as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:1489 msgid "ENV" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1490 msgid "Do not send any environment variables to any service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:1493 msgid "ENV:var_name" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1494 msgid "Do not send environment variable var_name to any service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:1498 msgid "ENV:var_name:service" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1499 msgid "Do not send environment variable var_name to service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1487 msgid "" "Currently the following filters are supported: <placeholder " "type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1506 msgid "" "The list of strings can either be the list of filters which would set this " "list of filters and overwrite the defaults. Or each element of the list can " "be prefixed by a '+' or '-' character which would add the filter to the " "existing default or remove it from the defaults, respectively. Please note " "that either all list elements must have a '+' or '-' prefix or none. It is " "considered as an error to mix both styles." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1517 msgid "Default: ENV:KRB5CCNAME:sudo, ENV:KRB5CCNAME:sudo-i" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1520 msgid "" "Example: -ENV:KRB5CCNAME:sudo-i will remove the filter from the default list" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1527 msgid "pam_id_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1530 msgid "" "For any PAM request while SSSD is online, the SSSD will attempt to " "immediately update the cached identity information for the user in order to " "ensure that authentication takes place with the latest information." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1536 msgid "" "A complete PAM conversation may perform multiple PAM requests, such as " "account management and session opening. This option controls (on a per-" "client-application basis) how long (in seconds) we can cache the identity " "information to avoid excessive round-trips to the identity provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1550 msgid "pam_pwd_expiration_warning (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1553 sssd.conf.5.xml:2995 msgid "Display a warning N days before the password expires." msgstr "Zobrazit varování N dnů před skončením platnosti hesla." #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1556 msgid "" "Please note that the backend server has to provide information about the " "expiration time of the password. If this information is missing, sssd " "cannot display a warning." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1562 sssd.conf.5.xml:2998 msgid "" "If zero is set, then this filter is not applied, i.e. if the expiration " "warning was received from backend server, it will automatically be displayed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1567 msgid "" "This setting can be overridden by setting <emphasis>pwd_expiration_warning</" "emphasis> for a particular domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1572 sssd.conf.5.xml:4003 sssd-ldap.5.xml:607 sssd.8.xml:79 msgid "Default: 0" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1589 msgid "pam_trusted_users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1592 msgid "" "Specifies the comma-separated list of UID values or user names that are " "allowed to run PAM conversations against trusted domains. Users not " "included in this list can only access domains marked as public with " "<quote>pam_public_domains</quote>. User names are resolved to UIDs at " "startup." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1602 msgid "Default: All users are considered trusted by default" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1606 msgid "" "Please note that UID 0 is always allowed to access the PAM responder even in " "case it is not in the pam_trusted_users list." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1613 msgid "pam_public_domains (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1616 msgid "" "Specifies the comma-separated list of domain names that are accessible even " "to untrusted users." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1620 msgid "Two special values for pam_public_domains option are defined:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1624 msgid "" "all (Untrusted users are allowed to access all domains in PAM responder.)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1628 msgid "" "none (Untrusted users are not allowed to access any domains PAM in " "responder.)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1632 sssd.conf.5.xml:1657 sssd.conf.5.xml:1676 #: sssd.conf.5.xml:1913 sssd.conf.5.xml:2733 sssd.conf.5.xml:3932 #: sssd-ldap.5.xml:1209 msgid "Default: none" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1637 msgid "pam_account_expired_message (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1640 msgid "" "Allows a custom expiration message to be set, replacing the default " "'Permission denied' message." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1645 msgid "" "Note: Please be aware that message is only printed for the SSH service " "unless pam_verbosity is set to 3 (show all messages and debug information)." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> #: sssd.conf.5.xml:1653 #, no-wrap msgid "" "pam_account_expired_message = Account expired, please contact help desk.\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1662 msgid "pam_account_locked_message (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1665 msgid "" "Allows a custom lockout message to be set, replacing the default 'Permission " "denied' message." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> #: sssd.conf.5.xml:1672 #, no-wrap msgid "" "pam_account_locked_message = Account locked, please contact help desk.\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1681 msgid "pam_passkey_auth (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1684 msgid "Enable passkey device based authentication." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1687 sssd.conf.5.xml:1999 sssd-ad.5.xml:1271 #: sss_rpcidmapd.5.xml:76 sssd-files.5.xml:145 msgid "Default: True" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1692 msgid "passkey_debug_libfido2 (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1695 msgid "Enable libfido2 library debug messages." msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1698 sssd.conf.5.xml:1712 sssd-ldap.5.xml:672 #: sssd-ldap.5.xml:693 sssd-ldap.5.xml:789 sssd-ldap.5.xml:1295 #: sssd-ad.5.xml:505 sssd-ad.5.xml:581 sssd-ad.5.xml:1126 sssd-ad.5.xml:1175 #: include/ldap_id_mapping.xml:250 msgid "Default: False" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1703 msgid "pam_cert_auth (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1706 msgid "" "Enable certificate based Smartcard authentication. Since this requires " "additional communication with the Smartcard which will delay the " "authentication process this option is disabled by default." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1717 msgid "pam_cert_db_path (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1720 msgid "The path to the certificate database." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1723 sssd.conf.5.xml:2248 sssd.conf.5.xml:4424 msgid "Default:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:1725 sssd.conf.5.xml:2250 msgid "" "/etc/sssd/pki/sssd_auth_ca_db.pem (path to a file with trusted CA " "certificates in PEM format)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1735 msgid "pam_cert_verification (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1738 msgid "" "With this parameter the PAM certificate verification can be tuned with a " "comma separated list of options that override the " "<quote>certificate_verification</quote> value in <quote>[sssd]</quote> " "section. Supported options are the same of <quote>certificate_verification</" "quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> #: sssd.conf.5.xml:1749 #, no-wrap msgid "" "pam_cert_verification = partial_chain\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1753 msgid "" "Default: not set, i.e. use default <quote>certificate_verification</quote> " "option defined in <quote>[sssd]</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1760 msgid "p11_child_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1763 msgid "How many seconds will pam_sss wait for p11_child to finish." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1772 #, fuzzy #| msgid "timeout (integer)" msgid "passkey_child_timeout (integer)" msgstr "timeout (celé kladné číslo)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1775 msgid "" "How many seconds will the PAM responder wait for passkey_child to finish." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1784 msgid "pam_app_services (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1787 msgid "" "Which PAM services are permitted to contact domains of type " "<quote>application</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1796 #, fuzzy #| msgid "simple_allow_users (string)" msgid "pam_p11_allowed_services (string)" msgstr "simple_allow_users (řetězec)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1799 msgid "" "A comma-separated list of PAM service names for which it will be allowed to " "use Smartcards." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> #: sssd.conf.5.xml:1814 #, no-wrap msgid "" "pam_p11_allowed_services = +my_pam_service, -login\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1803 msgid "" "It is possible to add another PAM service name to the default set by using " "<quote>+service_name</quote> or to explicitly remove a PAM service name from " "the default set by using <quote>-service_name</quote>. For example, in order " "to replace a default PAM service name for authentication with Smartcards (e." "g. <quote>login</quote>) with a custom PAM service name (e.g. " "<quote>my_pam_service</quote>), you would use the following configuration: " "<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1818 sssd-ad.5.xml:644 sssd-ad.5.xml:753 sssd-ad.5.xml:811 #: sssd-ad.5.xml:869 sssd-ad.5.xml:947 msgid "Default: the default set of PAM service names includes:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:1823 sssd-ad.5.xml:648 msgid "login" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:1828 sssd-ad.5.xml:653 msgid "su" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:1833 sssd-ad.5.xml:658 msgid "su-l" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:1838 sssd-ad.5.xml:673 msgid "gdm-smartcard" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:1843 sssd-ad.5.xml:668 msgid "gdm-password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:1848 sssd-ad.5.xml:678 msgid "kdm" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:1853 sssd-ad.5.xml:956 msgid "sudo" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:1858 sssd-ad.5.xml:961 msgid "sudo-i" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:1863 msgid "gnome-screensaver" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1871 msgid "p11_wait_for_card_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1874 msgid "" "If Smartcard authentication is required how many extra seconds in addition " "to p11_child_timeout should the PAM responder wait until a Smartcard is " "inserted." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1885 msgid "p11_uri (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1888 msgid "" "PKCS#11 URI (see RFC-7512 for details) which can be used to restrict the " "selection of devices used for Smartcard authentication. By default SSSD's " "p11_child will search for a PKCS#11 slot (reader) where the 'removable' " "flags is set and read the certificates from the inserted token from the " "first slot found. If multiple readers are connected p11_uri can be used to " "tell p11_child to use a specific reader." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> #: sssd.conf.5.xml:1901 #, no-wrap msgid "" "p11_uri = pkcs11:slot-description=My%20Smartcard%20Reader\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> #: sssd.conf.5.xml:1905 #, no-wrap msgid "" "p11_uri = pkcs11:library-description=OpenSC%20smartcard%20framework;slot-id=2\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1899 msgid "" "Example: <placeholder type=\"programlisting\" id=\"0\"/> or <placeholder " "type=\"programlisting\" id=\"1\"/> To find suitable URI please check the " "debug output of p11_child. As an alternative the GnuTLS utility 'p11tool' " "with e.g. the '--list-all' will show PKCS#11 URIs as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1918 msgid "pam_initgroups_scheme" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:1926 msgid "always" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1927 msgid "" "Always do an online lookup, please note that pam_id_timeout still applies" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:1931 msgid "no_session" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1932 msgid "" "Only do an online lookup if there is no active session of the user, i.e. if " "the user is currently not logged in" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:1937 msgid "never" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1938 msgid "" "Never force an online lookup, use the data from the cache as long as they " "are not expired" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1921 msgid "" "The PAM responder can force an online lookup to get the current group " "memberships of the user trying to log in. This option controls when this " "should be done and the following values are allowed: <placeholder " "type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1945 msgid "Default: no_session" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:1950 sssd.conf.5.xml:4363 msgid "pam_gssapi_services" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1953 msgid "" "Comma separated list of PAM services that are allowed to try GSSAPI " "authentication using pam_sss_gss.so module." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1958 msgid "" "To disable GSSAPI authentication, set this option to <quote>-</quote> (dash)." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1962 sssd.conf.5.xml:1993 sssd.conf.5.xml:2031 msgid "" "Note: This option can also be set per-domain which overwrites the value in " "[pam] section. It can also be set for trusted domain which overwrites the " "value in the domain section." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> #: sssd.conf.5.xml:1970 #, no-wrap msgid "" "pam_gssapi_services = sudo, sudo-i\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1968 sssd.conf.5.xml:3926 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1974 msgid "Default: - (GSSAPI authentication is disabled)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:1979 sssd.conf.5.xml:4364 msgid "pam_gssapi_check_upn" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1982 msgid "" "If True, SSSD will require that the Kerberos user principal that " "successfully authenticated through GSSAPI can be associated with the user " "who is being authenticated. Authentication will fail if the check fails." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1989 msgid "" "If False, every user that is able to obtained required service ticket will " "be authenticated." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:2004 msgid "pam_gssapi_indicators_map" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2007 msgid "" "Comma separated list of authentication indicators required to be present in " "a Kerberos ticket to access a PAM service that is allowed to try GSSAPI " "authentication using pam_sss_gss.so module." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2013 msgid "" "Each element of the list can be either an authentication indicator name or a " "pair <quote>service:indicator</quote>. Indicators not prefixed with the PAM " "service name will be required to access any PAM service configured to be " "used with <option>pam_gssapi_services</option>. A resulting list of " "indicators per PAM service is then checked against indicators in the " "Kerberos ticket during authentication by pam_sss_gss.so. Any indicator from " "the ticket that matches the resulting list of indicators for the PAM service " "would grant access. If none of the indicators in the list match, access will " "be denied. If the resulting list of indicators for the PAM service is empty, " "the check will not prevent the access." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2026 msgid "" "To disable GSSAPI authentication indicator check, set this option to <quote>-" "</quote> (dash). To disable the check for a specific PAM service, add " "<quote>service:-</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2037 msgid "" "Following authentication indicators are supported by IPA Kerberos " "deployments:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:2040 msgid "" "pkinit -- pre-authentication using X.509 certificates -- whether stored in " "files or on smart cards." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:2043 msgid "" "hardened -- SPAKE pre-authentication or any pre-authentication wrapped in a " "FAST channel." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:2046 msgid "radius -- pre-authentication with the help of a RADIUS server." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:2049 msgid "" "otp -- pre-authentication using integrated two-factor authentication (2FA or " "one-time password, OTP) in IPA." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:2052 msgid "idp -- pre-authentication using external identity provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> #: sssd.conf.5.xml:2062 #, no-wrap msgid "" "pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2057 msgid "" "Example: to require access to SUDO services only for users which obtained " "their Kerberos tickets with a X.509 certificate pre-authentication (PKINIT), " "set <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2066 msgid "Default: not set (use of authentication indicators is not required)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd.conf.5.xml:2074 msgid "SUDO configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd.conf.5.xml:2076 msgid "" "These options can be used to configure the sudo service. The detailed " "instructions for configuration of <citerefentry> <refentrytitle>sudo</" "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> to work with " "<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " "</citerefentry> are in the manual page <citerefentry> <refentrytitle>sssd-" "sudo</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:2093 msgid "sudo_timed (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2096 msgid "" "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes " "that implement time-dependent sudoers entries." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:2108 msgid "sudo_threshold (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2111 msgid "" "Maximum number of expired rules that can be refreshed at once. If number of " "expired rules is below threshold, those rules are refreshed with " "<quote>rules refresh</quote> mechanism. If the threshold is exceeded a " "<quote>full refresh</quote> of sudo rules is triggered instead. This " "threshold number also applies to IPA sudo command and command group searches." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd.conf.5.xml:2130 msgid "AUTOFS configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd.conf.5.xml:2132 msgid "These options can be used to configure the autofs service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:2136 msgid "autofs_negative_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2139 msgid "" "Specifies for how many seconds should the autofs responder negative cache " "hits (that is, queries for invalid map entries, like nonexistent ones) " "before asking the back end again." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd.conf.5.xml:2155 msgid "SSH configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd.conf.5.xml:2157 msgid "These options can be used to configure the SSH service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:2161 msgid "ssh_hash_known_hosts (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2164 msgid "" "Whether or not to hash host names and addresses in the managed known_hosts " "file." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:2173 msgid "ssh_known_hosts_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2176 msgid "" "How many seconds to keep a host in the managed known_hosts file after its " "host keys were requested." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2180 msgid "Default: 180" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:2185 msgid "ssh_use_certificate_keys (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2188 msgid "" "If set to true the <command>sss_ssh_authorizedkeys</command> will return ssh " "keys derived from the public key of X.509 certificates stored in the user " "entry as well. See <citerefentry> <refentrytitle>sss_ssh_authorizedkeys</" "refentrytitle> <manvolnum>1</manvolnum> </citerefentry> for details." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:2203 msgid "ssh_use_certificate_matching_rules (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2206 msgid "" "By default the ssh responder will use all available certificate matching " "rules to filter the certificates so that ssh keys are only derived from the " "matching ones. With this option the used rules can be restricted with a " "comma separated list of mapping and matching rule names. All other rules " "will be ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2215 msgid "" "There are two special key words 'all_rules' and 'no_rules' which will enable " "all or no rules, respectively. The latter means that no certificates will be " "filtered out and ssh keys will be generated from all valid certificates." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2222 msgid "" "If no rules are configured using 'all_rules' will enable a default rule " "which enables all certificates suitable for client authentication. This is " "the same behavior as for the PAM responder if certificate authentication is " "enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2229 msgid "" "A non-existing rule name is considered an error. If as a result no rule is " "selected all certificates will be ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2234 msgid "" "Default: not set, equivalent to 'all_rules', all found rules or the default " "rule are used" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:2240 msgid "ca_db (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2243 msgid "" "Path to a storage of trusted CA certificates. The option is used to validate " "user certificates before deriving public ssh keys from them." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd.conf.5.xml:2263 msgid "PAC responder configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd.conf.5.xml:2265 msgid "" "The PAC responder works together with the authorization data plugin for MIT " "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the " "PAC data during a GSSAPI authentication to the PAC responder. The sub-domain " "provider collects domain SID and ID ranges of the domain the client is " "joined to and of remote trusted domains from the local domain controller. If " "the PAC is decoded and evaluated some of the following operations are done:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:2274 msgid "" "If the remote user does not exist in the cache, it is created. The UID is " "determined with the help of the SID, trusted domains will have UPGs and the " "GID will have the same value as the UID. The home directory is set based on " "the subdomain_homedir parameter. The shell will be empty by default, i.e. " "the system defaults are used, but can be overwritten with the default_shell " "parameter." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:2282 msgid "" "If there are SIDs of groups from domains sssd knows about, the user will be " "added to those groups." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd.conf.5.xml:2288 msgid "These options can be used to configure the PAC responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.conf.5.xml:2292 sssd-ifp.5.xml:66 msgid "allowed_uids (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2295 msgid "" "Specifies the comma-separated list of UID values or user names that are " "allowed to access the PAC responder. User names are resolved to UIDs at " "startup." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2301 msgid "Default: 0 (only the root user is allowed to access the PAC responder)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2305 msgid "" "Please note that although the UID 0 is used as the default it will be " "overwritten with this option. If you still want to allow the root user to " "access the PAC responder, which would be the typical case, you have to add 0 " "to the list of allowed UIDs as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:2314 msgid "pac_lifetime (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2317 msgid "" "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC " "data can be used to determine the group memberships of a user." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:2327 #, fuzzy #| msgid "krb5_rcache_dir (string)" msgid "pac_check (string)" msgstr "krb5_rcache_dir (řetězec)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2330 msgid "" "Apply additional checks on the PAC of the Kerberos ticket which is available " "in Active Directory and FreeIPA domains, if configured. Please note that " "Kerberos ticket validation must be enabled to be able to check the PAC, i.e. " "the krb5_validate option must be set to 'True' which is the default for the " "IPA and AD provider. If krb5_validate is set to 'False' the PAC checks will " "be skipped." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2344 msgid "no_check" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2346 msgid "" "The PAC must not be present and even if it is present no additional checks " "will be done." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2352 msgid "pac_present" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2354 msgid "" "The PAC must be present in the service ticket which SSSD will request with " "the help of the user's TGT. If the PAC is not available the authentication " "will fail." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2362 msgid "check_upn" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2364 msgid "" "If the PAC is present check if the user principal name (UPN) information is " "consistent." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2370 msgid "check_upn_allow_missing" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2372 msgid "" "This option should be used together with 'check_upn' and handles the case " "where a UPN is set on the server-side but is not read by SSSD. The typical " "example is a FreeIPA domain where 'ldap_user_principal' is set to a not " "existing attribute name. This was typically done to work-around issues in " "the handling of enterprise principals. But this is fixed since quite some " "time and FreeIPA can handle enterprise principals just fine and there is no " "need anymore to set 'ldap_user_principal'." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2384 msgid "" "Currently this option is set by default to avoid regressions in such " "environments. A log message will be added to the system log and SSSD's debug " "log in case a UPN is found in the PAC but not in SSSD's cache. To avoid this " "log message it would be best to evaluate if the 'ldap_user_principal' option " "can be removed. If this is not possible, removing 'check_upn' will skip the " "test and avoid the log message." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2398 msgid "upn_dns_info_present" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2400 msgid "The PAC must contain the UPN-DNS-INFO buffer, implies 'check_upn'." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2405 msgid "check_upn_dns_info_ex" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2407 msgid "" "If the PAC is present and the extension to the UPN-DNS-INFO buffer is " "available check if the information in the extension is consistent." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2414 msgid "upn_dns_info_ex_present" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2416 msgid "" "The PAC must contain the extension of the UPN-DNS-INFO buffer, implies " "'check_upn_dns_info_ex', 'upn_dns_info_present' and 'check_upn'." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2340 msgid "" "The following options can be used alone or in a comma-separated list: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2426 msgid "" "Default: no_check (AD and IPA provider 'check_upn, check_upn_allow_missing, " "check_upn_dns_info_ex')" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd.conf.5.xml:2435 msgid "Session recording configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd.conf.5.xml:2437 msgid "" "Session recording works in conjunction with <citerefentry> " "<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> </" "citerefentry>, a part of tlog package, to log what users see and type when " "they log in on a text terminal. See also <citerefentry> <refentrytitle>sssd-" "session-recording</refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd.conf.5.xml:2450 msgid "These options can be used to configure session recording." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.conf.5.xml:2454 sssd-session-recording.5.xml:64 msgid "scope (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2461 sssd-session-recording.5.xml:71 msgid "\"none\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2464 sssd-session-recording.5.xml:74 msgid "No users are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2469 sssd-session-recording.5.xml:79 msgid "\"some\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2472 sssd-session-recording.5.xml:82 msgid "" "Users/groups specified by <replaceable>users</replaceable> and " "<replaceable>groups</replaceable> options are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2481 sssd-session-recording.5.xml:91 msgid "\"all\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2484 sssd-session-recording.5.xml:94 msgid "All users are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2457 sssd-session-recording.5.xml:67 msgid "" "One of the following strings specifying the scope of session recording: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2491 sssd-session-recording.5.xml:101 msgid "Default: \"none\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.conf.5.xml:2496 sssd-session-recording.5.xml:106 msgid "users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2499 sssd-session-recording.5.xml:109 msgid "" "A comma-separated list of users which should have session recording enabled. " "Matches user names as returned by NSS. I.e. after the possible space " "replacement, case changes, etc." msgstr "" "Čárkou oddělovaný seznam uživatelů, kterým zapnout zaznamenávání relace. " "Shodující se uživatelská jména jsou vrácena z NSS. T.j. po možném nahrazení " "mezer, změně velikosti písmen, atd." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2505 sssd-session-recording.5.xml:115 msgid "Default: Empty. Matches no users." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.conf.5.xml:2510 sssd-session-recording.5.xml:120 msgid "groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2513 sssd-session-recording.5.xml:123 msgid "" "A comma-separated list of groups, members of which should have session " "recording enabled. Matches group names as returned by NSS. I.e. after the " "possible space replacement, case changes, etc." msgstr "" "Čárkou oddělovaný seznam skupin, dále členů, pro které zapnout zaznamenávání " "relace. Odpovídající názvy skupin jsou vráceny z NSS. Tj. po možném " "nahrazení mezer, změn velikosti písmen, atd." #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2519 sssd.conf.5.xml:2551 sssd-session-recording.5.xml:129 #: sssd-session-recording.5.xml:161 msgid "" "NOTE: using this option (having it set to anything) has a considerable " "performance cost, because each uncached request for a user requires " "retrieving and matching the groups the user is member of." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2526 sssd-session-recording.5.xml:136 msgid "Default: Empty. Matches no groups." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.conf.5.xml:2531 sssd-session-recording.5.xml:141 #, fuzzy #| msgid "simple_deny_users (string)" msgid "exclude_users (string)" msgstr "simple_deny_users (řetězec)" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2534 sssd-session-recording.5.xml:144 msgid "" "A comma-separated list of users to be excluded from recording, only " "applicable with 'scope=all'." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2538 sssd-session-recording.5.xml:148 msgid "Default: Empty. No users excluded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.conf.5.xml:2543 sssd-session-recording.5.xml:153 #, fuzzy #| msgid "simple_deny_groups (string)" msgid "exclude_groups (string)" msgstr "simple_deny_groups (řetězec)" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2546 sssd-session-recording.5.xml:156 msgid "" "A comma-separated list of groups, members of which should be excluded from " "recording. Only applicable with 'scope=all'." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2558 sssd-session-recording.5.xml:168 msgid "Default: Empty. No groups excluded." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd.conf.5.xml:2568 msgid "DOMAIN SECTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para> #: sssd.conf.5.xml:2575 sssd.conf.5.xml:4054 sssd.conf.5.xml:4055 #: sssd.conf.5.xml:4058 msgid "enabled" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2578 msgid "" "Explicitly enable or disable the domain. If <quote>true</quote>, the domain " "is always <quote>enabled</quote>. If <quote>false</quote>, the domain is " "always <quote>disabled</quote>. If this option is not set, the domain is " "enabled only if it is listed in the domains option in the <quote>[sssd]</" "quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2590 msgid "domain_type (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2593 msgid "" "Specifies whether the domain is meant to be used by POSIX-aware clients such " "as the Name Service Switch or by applications that do not need POSIX data to " "be present or generated. Only objects from POSIX domains are available to " "the operating system interfaces and utilities." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2601 msgid "" "Allowed values for this option are <quote>posix</quote> and " "<quote>application</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2605 msgid "" "POSIX domains are reachable by all services. Application domains are only " "reachable from the InfoPipe responder (see <citerefentry> " "<refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</manvolnum> </" "citerefentry>) and the PAM responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2613 msgid "" "NOTE: The application domains are currently well tested with " "<quote>id_provider=ldap</quote> only." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2617 msgid "" "For an easy way to configure a non-POSIX domains, please see the " "<quote>Application domains</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2621 msgid "Default: posix" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2627 msgid "min_id,max_id (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2630 msgid "" "UID and GID limits for the domain. If a domain contains an entry that is " "outside these limits, it is ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2635 msgid "" "For users, this affects the primary GID limit. The user will not be returned " "to NSS if either the UID or the primary GID is outside the range. For non-" "primary group memberships, those that are in range will be reported as " "expected." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2642 msgid "" "These ID limits affect even saving entries to cache, not only returning them " "by name or ID." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2646 msgid "Default: 1 for min_id, 0 (no limit) for max_id" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2652 msgid "enumerate (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2655 msgid "" "Determines if a domain can be enumerated, that is, whether the domain can " "list all the users and group it contains. Note that it is not required to " "enable enumeration in order for secondary groups to be displayed. This " "parameter can have one of the following values:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2663 msgid "TRUE = Users and groups are enumerated" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2666 msgid "FALSE = No enumerations for this domain" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2669 sssd.conf.5.xml:2950 sssd.conf.5.xml:3127 msgid "Default: FALSE" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2672 msgid "" "Enumerating a domain requires SSSD to download and store ALL user and group " "entries from the remote server." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2677 msgid "" "Note: Enabling enumeration has a moderate performance impact on SSSD while " "enumeration is running. It may take up to several minutes after SSSD startup " "to fully complete enumerations. During this time, individual requests for " "information will go directly to LDAP, though it may be slow, due to the " "heavy enumeration processing. Saving a large number of entries to cache " "after the enumeration completes might also be CPU intensive as the " "memberships have to be recomputed. This can lead to the <quote>sssd_be</" "quote> process becoming unresponsive or even restarted by the internal " "watchdog." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2692 msgid "" "While the first enumeration is running, requests for the complete user or " "group lists may return no results until it completes." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2697 msgid "" "Further, enabling enumeration may increase the time necessary to detect " "network disconnection, as longer timeouts are required to ensure that " "enumeration lookups are completed successfully. For more information, refer " "to the man pages for the specific id_provider in use." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2705 msgid "" "For the reasons cited above, enabling enumeration is not recommended, " "especially in large environments." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2713 msgid "subdomain_enumerate (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2720 msgid "all" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2721 msgid "All discovered trusted domains will be enumerated" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2724 msgid "none" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2725 msgid "No discovered trusted domains will be enumerated" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2716 msgid "" "Whether any of autodetected trusted domains should be enumerated. The " "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> " "Optionally, a list of one or more domain names can enable enumeration just " "for these trusted domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2739 msgid "entry_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2742 msgid "" "How many seconds should nss_sss consider entries valid before asking the " "backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2746 msgid "" "The cache expiration timestamps are stored as attributes of individual " "objects in the cache. Therefore, changing the cache timeout only has effect " "for newly added or expired entries. You should run the <citerefentry> " "<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> </" "citerefentry> tool in order to force refresh of entries that have already " "been cached." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2759 msgid "Default: 5400" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2765 msgid "entry_cache_user_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2768 msgid "" "How many seconds should nss_sss consider user entries valid before asking " "the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2772 sssd.conf.5.xml:2785 sssd.conf.5.xml:2798 #: sssd.conf.5.xml:2811 sssd.conf.5.xml:2825 sssd.conf.5.xml:2838 #: sssd.conf.5.xml:2852 sssd.conf.5.xml:2866 sssd.conf.5.xml:2879 msgid "Default: entry_cache_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2778 msgid "entry_cache_group_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2781 msgid "" "How many seconds should nss_sss consider group entries valid before asking " "the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2791 msgid "entry_cache_netgroup_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2794 msgid "" "How many seconds should nss_sss consider netgroup entries valid before " "asking the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2804 msgid "entry_cache_service_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2807 msgid "" "How many seconds should nss_sss consider service entries valid before asking " "the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2817 msgid "entry_cache_resolver_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2820 msgid "" "How many seconds should nss_sss consider hosts and networks entries valid " "before asking the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2831 msgid "entry_cache_sudo_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2834 msgid "" "How many seconds should sudo consider rules valid before asking the backend " "again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2844 msgid "entry_cache_autofs_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2847 msgid "" "How many seconds should the autofs service consider automounter maps valid " "before asking the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2858 msgid "entry_cache_ssh_host_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2861 msgid "" "How many seconds to keep a host ssh key after refresh. IE how long to cache " "the host key for." msgstr "" "Kolik sekund ponechat ssh klíč hostitele po opětovném načtení. T.j. po jak " "dlouhou dobu ponechávat klíč hostitel v mezipaměti." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2872 msgid "entry_cache_computer_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2875 msgid "" "How many seconds to keep the local computer entry before asking the backend " "again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2885 msgid "refresh_expired_interval (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2888 msgid "" "Specifies how many seconds SSSD has to wait before triggering a background " "refresh task which will refresh all expired or nearly expired records." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2893 msgid "" "The background refresh will process users, groups and netgroups in the " "cache. For users who have performed the initgroups (get group membership for " "user, typically ran at login) operation in the past, both the user entry " "and the group membership are updated." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2901 msgid "This option is automatically inherited for all trusted domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2905 msgid "You can consider setting this value to 3/4 * entry_cache_timeout." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2909 msgid "" "Cache entry will be refreshed by background task when 2/3 of cache timeout " "has already passed. If there are existing cached entries, the background " "task will refer to their original cache timeout values instead of current " "configuration value. This may lead to a situation in which background " "refresh task appears to not be working. This is done by design to improve " "offline mode operation and reuse of existing valid cache entries. To make " "this change instant the user may want to manually invalidate existing cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2922 sssd-ldap.5.xml:361 sssd-ldap.5.xml:1738 #: sssd-ipa.5.xml:270 msgid "Default: 0 (disabled)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2928 msgid "cache_credentials (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2931 msgid "" "Determines if user credentials are also cached in the local LDB cache. The " "cached credentials refer to passwords, which includes the first (long term) " "factor of two-factor authentication, not other authentication mechanisms. " "Passkey and Smartcard authentications are expected to work offline as long " "as a successful online authentication is recorded in the cache without " "additional configuration." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2942 msgid "" "Take a note that while credentials are stored as a salted SHA512 hash, this " "still potentially poses some security risk in case an attacker manages to " "get access to a cache file (normally requires privileged access) and to " "break a password using brute force attack." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2956 msgid "cache_credentials_minimal_first_factor_length (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2959 msgid "" "If 2-Factor-Authentication (2FA) is used and credentials should be saved " "this value determines the minimal length the first authentication factor " "(long term password) must have to be saved as SHA512 hash into the cache." msgstr "" "Pokud je používáno dvoufaktorové ověřování (2FA) a přihlašovací údaje mají " "být ukládány, tato hodnota určuje nejkratší umožněnou délku pro hlavní " "faktor ověřování (dlouhodobé heslo), od které je třeba ho uložit jako SHA512 " "otisk do mezipaměti." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2966 msgid "" "This should avoid that the short PINs of a PIN based 2FA scheme are saved in " "the cache which would make them easy targets for brute-force attacks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2977 msgid "account_cache_expiration (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2980 msgid "" "Number of days entries are left in cache after last successful login before " "being removed during a cleanup of the cache. 0 means keep forever. The " "value of this parameter must be greater than or equal to " "offline_credentials_expiration." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2987 msgid "Default: 0 (unlimited)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2992 msgid "pwd_expiration_warning (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3003 msgid "" "Please note that the backend server has to provide information about the " "expiration time of the password. If this information is missing, sssd " "cannot display a warning. Also an auth provider has to be configured for the " "backend." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3010 msgid "Default: 7 (Kerberos), 0 (LDAP)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3016 msgid "id_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3019 msgid "" "The identification provider used for the domain. Supported ID providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3023 msgid "<quote>proxy</quote>: Support a legacy NSS provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3026 msgid "" "<quote>files</quote>: FILES provider. See <citerefentry> <refentrytitle>sssd-" "files</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " "information on how to mirror local users and groups into SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3034 msgid "" "<quote>ldap</quote>: LDAP provider. See <citerefentry> <refentrytitle>sssd-" "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more " "information on configuring LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3042 sssd.conf.5.xml:3153 sssd.conf.5.xml:3204 #: sssd.conf.5.xml:3267 msgid "" "<quote>ipa</quote>: FreeIPA and Red Hat Identity Management provider. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry> for more information on configuring FreeIPA." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3051 sssd.conf.5.xml:3162 sssd.conf.5.xml:3213 #: sssd.conf.5.xml:3276 msgid "" "<quote>ad</quote>: Active Directory provider. See <citerefentry> " "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" "citerefentry> for more information on configuring Active Directory." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3062 msgid "use_fully_qualified_names (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3065 msgid "" "Use the full name and domain (as formatted by the domain's full_name_format) " "as the user's login name reported to NSS." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3070 msgid "" "If set to TRUE, all requests to this domain must use fully qualified names. " "For example, if used in LOCAL domain that contains a \"test\" user, " "<command>getent passwd test</command> wouldn't find the user while " "<command>getent passwd test@LOCAL</command> would." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3078 msgid "" "NOTE: This option has no effect on netgroup lookups due to their tendency to " "include nested netgroups without qualified names. For netgroups, all domains " "will be searched when an unqualified name is requested." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3085 msgid "" "Default: FALSE (TRUE for trusted domain/sub-domains or if " "default_domain_suffix is used)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3092 msgid "ignore_group_members (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3095 msgid "Do not return group members for group lookups." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3098 msgid "" "If set to TRUE, the group membership attribute is not requested from the " "ldap server, and group members are not returned when processing group lookup " "calls, such as <citerefentry> <refentrytitle>getgrnam</refentrytitle> " "<manvolnum>3</manvolnum> </citerefentry> or <citerefentry> " "<refentrytitle>getgrgid</refentrytitle> <manvolnum>3</manvolnum> </" "citerefentry>. As an effect, <quote>getent group $groupname</quote> would " "return the requested group as if it was empty." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3116 msgid "" "Enabling this option can also make access provider checks for group " "membership significantly faster, especially for groups containing many " "members." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3122 sssd.conf.5.xml:3848 sssd-ldap.5.xml:327 #: sssd-ldap.5.xml:356 sssd-ldap.5.xml:409 sssd-ldap.5.xml:469 #: sssd-ldap.5.xml:490 sssd-ldap.5.xml:521 sssd-ldap.5.xml:544 #: sssd-ldap.5.xml:583 sssd-ldap.5.xml:602 sssd-ldap.5.xml:626 #: sssd-ldap.5.xml:1053 sssd-ldap.5.xml:1086 msgid "" "This option can be also set per subdomain or inherited via " "<emphasis>subdomain_inherit</emphasis>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3132 msgid "auth_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3135 msgid "" "The authentication provider used for the domain. Supported auth providers " "are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3139 sssd.conf.5.xml:3197 msgid "" "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" "citerefentry> for more information on configuring LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3146 msgid "" "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" "citerefentry> for more information on configuring Kerberos." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3170 msgid "" "<quote>proxy</quote> for relaying authentication to some other PAM target." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3173 msgid "<quote>none</quote> disables authentication explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3176 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can handle " "authentication requests." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3182 msgid "access_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3185 msgid "" "The access control provider used for the domain. There are two built-in " "access providers (in addition to any included in installed backends) " "Internal special providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3191 msgid "" "<quote>permit</quote> always allow access. It's the only permitted access " "provider for a local domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3194 msgid "<quote>deny</quote> always deny access." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3221 msgid "" "<quote>simple</quote> access control based on access or deny lists. See " "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> <manvolnum>5</" "manvolnum></citerefentry> for more information on configuring the simple " "access module." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3228 msgid "" "<quote>krb5</quote>: .k5login based access control. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum></" "citerefentry> for more information on configuring Kerberos." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3235 msgid "<quote>proxy</quote> for relaying access control to another PAM module." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3238 msgid "Default: <quote>permit</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3243 msgid "chpass_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3246 msgid "" "The provider which should handle change password operations for the domain. " "Supported change password providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3251 msgid "" "<quote>ldap</quote> to change a password stored in a LDAP server. See " "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry> for more information on configuring LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3259 msgid "" "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> </" "citerefentry> for more information on configuring Kerberos." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3284 msgid "" "<quote>proxy</quote> for relaying password changes to some other PAM target." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3288 msgid "<quote>none</quote> disallows password changes explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3291 msgid "" "Default: <quote>auth_provider</quote> is used if it is set and can handle " "change password requests." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3298 msgid "sudo_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3301 msgid "The SUDO provider used for the domain. Supported SUDO providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3305 msgid "" "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" "citerefentry> for more information on configuring LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3313 msgid "" "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default " "settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3317 msgid "" "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default " "settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3321 msgid "<quote>none</quote> disables SUDO explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3324 sssd.conf.5.xml:3410 sssd.conf.5.xml:3480 #: sssd.conf.5.xml:3505 sssd.conf.5.xml:3541 msgid "Default: The value of <quote>id_provider</quote> is used if it is set." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3328 msgid "" "The detailed instructions for configuration of sudo_provider are in the " "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry>. There are many configuration " "options that can be used to adjust the behavior. Please refer to " "\"ldap_sudo_*\" in <citerefentry> <refentrytitle>sssd-ldap</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3343 msgid "" "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the " "background unless the sudo provider is explicitly disabled. Set " "<emphasis>sudo_provider = None</emphasis> to disable all sudo-related " "activity in SSSD if you do not want to use sudo with SSSD at all." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3353 msgid "selinux_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3356 msgid "" "The provider which should handle loading of selinux settings. Note that this " "provider will be called right after access provider ends. Supported selinux " "providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3362 msgid "" "<quote>ipa</quote> to load selinux settings from an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry> for more information on configuring IPA." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3370 msgid "<quote>none</quote> disallows fetching selinux settings explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3373 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can handle " "selinux loading requests." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3379 msgid "subdomains_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3382 msgid "" "The provider which should handle fetching of subdomains. This value should " "be always the same as id_provider. Supported subdomain providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3388 msgid "" "<quote>ipa</quote> to load a list of subdomains from an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry> for more information on configuring IPA." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3397 msgid "" "<quote>ad</quote> to load a list of subdomains from an Active Directory " "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " "the AD provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3406 msgid "<quote>none</quote> disallows fetching subdomains explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3416 msgid "session_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3419 msgid "" "The provider which configures and manages user session related tasks. The " "only user session task currently provided is the integration with Fleet " "Commander, which works only with IPA. Supported session providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3426 msgid "<quote>ipa</quote> to allow performing user session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3430 msgid "" "<quote>none</quote> does not perform any kind of user session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3434 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can perform " "session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3438 msgid "" "<emphasis>NOTE:</emphasis> In order to have this feature working as expected " "SSSD must be running as \"root\" and not as the unprivileged user." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3446 msgid "autofs_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3449 msgid "" "The autofs provider used for the domain. Supported autofs providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3453 msgid "" "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" "citerefentry> for more information on configuring LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3460 msgid "" "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> " "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> </" "citerefentry> for more information on configuring IPA." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3468 msgid "" "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> " "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> </" "citerefentry> for more information on configuring the AD provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3477 msgid "<quote>none</quote> disables autofs explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3487 msgid "hostid_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3490 msgid "" "The provider used for retrieving host identity information. Supported " "hostid providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3494 msgid "" "<quote>ipa</quote> to load host identity stored in an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry> for more information on configuring IPA." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3502 msgid "<quote>none</quote> disables hostid explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3512 msgid "resolver_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3515 msgid "" "The provider which should handle hosts and networks lookups. Supported " "resolver providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3519 msgid "" "<quote>proxy</quote> to forward lookups to another NSS library. See " "<quote>proxy_resolver_lib_name</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3523 msgid "" "<quote>ldap</quote> to fetch hosts and networks stored in LDAP. See " "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry> for more information on configuring LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3530 msgid "" "<quote>ad</quote> to fetch hosts and networks stored in AD. See " "<citerefentry> <refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry> for more information on configuring the AD " "provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3538 msgid "<quote>none</quote> disallows fetching hosts and networks explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3551 msgid "" "Regular expression for this domain that describes how to parse the string " "containing user name and domain into these components. The \"domain\" can " "match either the SSSD configuration domain name, or, in the case of IPA " "trust subdomains and Active Directory domains, the flat (NetBIOS) name of " "the domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3560 msgid "" "Default: <quote>^((?P<name>.+)@(?P<domain>[^@]*)|(?P<name>" "[^@]+))$</quote> which allows two different styles for user names:" msgstr "" # auto translated by TM merge from project: Fedora Websites, version: # fedorahosted.org, DocId: po/fedorahosted #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:3565 sssd.conf.5.xml:3579 msgid "username" msgstr "username" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:3568 sssd.conf.5.xml:3582 msgid "username@domain.name" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3573 msgid "" "Default for the AD and IPA provider: <quote>^(((?P<domain>[^\\\\]+)\\" "\\(?P<name>.+))|((?P<name>.+)@(?P<domain>[^@]+))|((?P<" "name>[^@\\\\]+)))$</quote> which allows three different styles for user " "names:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:3585 msgid "domain\\username" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3588 msgid "" "While the first two correspond to the general default the third one is " "introduced to allow easy integration of users from Windows domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3593 msgid "" "The default re_expression uses the <quote>@</quote> character as a separator " "between the name and the domain. As a result of this setting the default " "does not accept the <quote>@</quote> character in short names (as it is " "allowed in Windows group names). If a user wishes to use short names with " "<quote>@</quote> they must create their own re_expression." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3645 msgid "Default: <quote>%1$s@%2$s</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3651 msgid "lookup_family_order (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3654 msgid "" "Provides the ability to select preferred address family to use when " "performing DNS lookups." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3658 msgid "Supported values:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3661 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3664 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3667 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3670 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3673 msgid "Default: ipv4_first" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3679 #, fuzzy #| msgid "dns_resolver_timeout" msgid "dns_resolver_server_timeout (integer)" msgstr "dns_resolver_timeout" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3682 msgid "" "Defines the amount of time (in milliseconds) SSSD would try to talk to DNS " "server before trying next DNS server." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3687 msgid "" "The AD provider will use this option for the CLDAP ping timeouts as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3691 sssd.conf.5.xml:3711 sssd.conf.5.xml:3732 msgid "" "Please see the section <quote>FAILOVER</quote> for more information about " "the service resolution." msgstr "" #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3696 sssd-ldap.5.xml:645 include/failover.xml:84 msgid "Default: 1000" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3702 #, fuzzy #| msgid "dns_resolver_op_timeout" msgid "dns_resolver_op_timeout (integer)" msgstr "dns_resolver_op_timeout" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3705 msgid "" "Defines the amount of time (in seconds) to wait to resolve single DNS query " "(e.g. resolution of a hostname or an SRV record) before trying the next " "hostname or DNS discovery." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3722 msgid "dns_resolver_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3725 msgid "" "Defines the amount of time (in seconds) to wait for a reply from the " "internal fail over service before assuming that the service is unreachable. " "If this timeout is reached, the domain will continue to operate in offline " "mode." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3743 #, fuzzy #| msgid "dns_resolver_timeout" msgid "dns_resolver_use_search_list (bool)" msgstr "dns_resolver_timeout" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3746 msgid "" "Normally, the DNS resolver searches the domain list defined in the " "\"search\" directive from the resolv.conf file. This can lead to delays in " "environments with improperly configured DNS." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3752 msgid "" "If fully qualified domain names (or _srv_) are used in the SSSD " "configuration, setting this option to FALSE can prevent unnecessary DNS " "lookups in such environments." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3758 #, fuzzy #| msgid "Default: 3" msgid "Default: TRUE" msgstr "Výchozí: 3" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3764 msgid "dns_discovery_domain (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3767 msgid "" "If service discovery is used in the back end, specifies the domain part of " "the service discovery DNS query." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3771 msgid "Default: Use the domain part of machine's hostname" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3777 #, fuzzy #| msgid "dns_resolver_op_timeout" msgid "failover_primary_timeout (integer)" msgstr "dns_resolver_op_timeout" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3780 msgid "" "When no primary server is currently available, SSSD fail overs to a backup " "server. This option defines the amount of time (in seconds) to wait before " "SSSD tries to reconnect to a primary server again." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3787 msgid "Note: The minimum value is 31." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3790 #, fuzzy #| msgid "Default: 3" msgid "Default: 31" msgstr "Výchozí: 3" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3796 msgid "override_gid (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3799 msgid "Override the primary GID value with the one specified." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3805 msgid "case_sensitive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3812 msgid "True" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3815 msgid "Case sensitive. This value is invalid for AD provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3821 msgid "False" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3823 msgid "Case insensitive." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3827 msgid "Preserving" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3830 msgid "" "Same as False (case insensitive), but does not lowercase names in the result " "of NSS operations. Note that name aliases (and in case of services also " "protocol names) are still lowercased in the output." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3838 msgid "" "If you want to set this value for trusted domain with IPA provider, you need " "to set it on both the client and SSSD on the server." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3808 msgid "" "Treat user and group names as case sensitive. Possible option values are: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3853 msgid "Default: True (False for AD provider)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3859 msgid "subdomain_inherit (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3862 msgid "" "Specifies a list of configuration parameters that should be inherited by a " "subdomain. Please note that only selected parameters can be inherited. " "Currently the following options can be inherited:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3868 #, fuzzy #| msgid "dns_resolver_timeout" msgid "ldap_search_timeout" msgstr "dns_resolver_timeout" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3871 #, fuzzy #| msgid "dns_resolver_timeout" msgid "ldap_network_timeout" msgstr "dns_resolver_timeout" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3874 #, fuzzy #| msgid "dns_resolver_op_timeout" msgid "ldap_opt_timeout" msgstr "dns_resolver_op_timeout" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3877 #, fuzzy #| msgid "dns_resolver_timeout" msgid "ldap_offline_timeout" msgstr "dns_resolver_timeout" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3880 #, fuzzy #| msgid "dns_resolver_op_timeout" msgid "ldap_enumeration_refresh_timeout" msgstr "dns_resolver_op_timeout" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3883 msgid "ldap_enumeration_refresh_offset" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3886 msgid "ldap_purge_cache_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3889 msgid "ldap_purge_cache_offset" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3892 msgid "" "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab " "is not set explicitly)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3896 msgid "ldap_krb5_ticket_lifetime" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3899 #, fuzzy #| msgid "dns_resolver_op_timeout" msgid "ldap_enumeration_search_timeout" msgstr "dns_resolver_op_timeout" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3902 #, fuzzy #| msgid "dns_resolver_op_timeout" msgid "ldap_connection_expire_timeout" msgstr "dns_resolver_op_timeout" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3905 #, fuzzy #| msgid "dns_resolver_op_timeout" msgid "ldap_connection_expire_offset" msgstr "dns_resolver_op_timeout" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3908 msgid "ldap_connection_idle_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3911 sssd-ldap.5.xml:401 msgid "ldap_use_tokengroups" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3914 msgid "ldap_user_principal" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3917 msgid "ignore_group_members" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3920 msgid "auto_private_groups" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3923 msgid "case_sensitive" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> #: sssd.conf.5.xml:3928 #, no-wrap msgid "" "subdomain_inherit = ldap_purge_cache_timeout\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3935 msgid "Note: This option only works with the IPA and AD provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3942 msgid "subdomain_homedir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3953 msgid "%F" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3954 msgid "flat (NetBIOS) name of a subdomain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3945 msgid "" "Use this homedir as default value for all subdomains within this domain in " "IPA AD trust. See <emphasis>override_homedir</emphasis> for info about " "possible values. In addition to those, the expansion below can only be used " "with <emphasis>subdomain_homedir</emphasis>. <placeholder " "type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3959 msgid "" "The value can be overridden by <emphasis>override_homedir</emphasis> option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3963 msgid "Default: <filename>/home/%d/%u</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3968 msgid "realmd_tags (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3971 msgid "" "Various tags stored by the realmd configuration service for this domain." msgstr "Různé štítky uložené službou nastavování realmd pro tuto doménu." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3977 msgid "cached_auth_timeout (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3980 msgid "" "Specifies time in seconds since last successful online authentication for " "which user will be authenticated using cached credentials while SSSD is in " "the online mode. If the credentials are incorrect, SSSD falls back to online " "authentication." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3988 msgid "" "This option's value is inherited by all trusted domains. At the moment it is " "not possible to set a different value per trusted domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3993 msgid "Special value 0 implies that this feature is disabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3997 msgid "" "Please note that if <quote>cached_auth_timeout</quote> is longer than " "<quote>pam_id_timeout</quote> then the back end could be called to handle " "<quote>initgroups.</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4008 #, fuzzy #| msgid "simple_deny_users (string)" msgid "local_auth_policy (string)" msgstr "simple_deny_users (řetězec)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4011 msgid "" "Local authentication methods policy. Some backends (i.e. LDAP, proxy " "provider) only support a password based authentication, while others can " "handle PKINIT based Smartcard authentication (AD, IPA), two-factor " "authentication (IPA), or other methods against a central instance. By " "default in such cases authentication is only performed with the methods " "supported by the backend. With this option additional methods can be enabled " "which are evaluated and checked locally." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4023 msgid "" "There are three possible values for this option: match, only, enable. " "<quote>match</quote> is used to match offline and online states for Kerberos " "methods. <quote>only</quote> ignores the online methods and only offer the " "local ones. enable allows explicitly defining the methods for local " "authentication. As an example, <quote>enable:passkey</quote>, only enables " "passkey for local authentication. Multiple enable values should be comma-" "separated, such as <quote>enable:passkey, enable:smartcard</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4036 msgid "" "The following table shows which authentication methods, if configured " "properly, are currently enabled or disabled for each backend, with the " "default local_auth_policy: <quote>match</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry> #: sssd.conf.5.xml:4049 #, fuzzy #| msgid "simple_deny_users (string)" msgid "local_auth_policy = match (default)" msgstr "simple_deny_users (řetězec)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry> #: sssd.conf.5.xml:4050 msgid "Passkey" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry> #: sssd.conf.5.xml:4051 msgid "Smartcard" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:4054 sssd-ldap.5.xml:189 msgid "IPA" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:4057 sssd-ldap.5.xml:194 msgid "AD" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para> #: sssd.conf.5.xml:4057 sssd.conf.5.xml:4060 sssd.conf.5.xml:4061 msgid "disabled" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry> #: sssd.conf.5.xml:4060 msgid "LDAP" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4065 msgid "" "Please note that if local Smartcard authentication is enabled and a " "Smartcard is present, Smartcard authentication will be preferred over the " "authentication methods supported by the backend. I.e. there will be a PIN " "prompt instead of e.g. a password prompt." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> #: sssd.conf.5.xml:4077 #, no-wrap msgid "" "[domain/shadowutils]\n" "id_provider = proxy\n" "proxy_lib_name = files\n" "auth_provider = none\n" "local_auth_policy = only\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4073 msgid "" "The following configuration example allows local users to authenticate " "locally using any enabled method (i.e. smartcard, passkey). <placeholder " "type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4085 msgid "" "It is expected that the <quote>files</quote> provider ignores the " "local_auth_policy option and supports Smartcard authentication by default." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4090 #, fuzzy #| msgid "Default: 3" msgid "Default: match" msgstr "Výchozí: 3" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4095 msgid "auto_private_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4101 msgid "true" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4104 msgid "" "Create user's private group unconditionally from user's UID number. The GID " "number is ignored in this case." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4108 msgid "" "NOTE: Because the GID number and the user private group are inferred from " "the UID number, it is not supported to have multiple entries with the same " "UID or GID number with this option. In other words, enabling this option " "enforces uniqueness across the ID space." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4117 msgid "false" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4120 msgid "" "Always use the user's primary GID number. The GID number must refer to a " "group object in the LDAP database." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4126 msgid "hybrid" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4129 msgid "" "A primary group is autogenerated for user entries whose UID and GID numbers " "have the same value and at the same time the GID number does not correspond " "to a real group object in LDAP. If the values are the same, but the primary " "GID in the user entry is also used by a group object, the primary GID of the " "user resolves to that group object." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4142 msgid "" "If the UID and GID of a user are different, then the GID must correspond to " "a group entry, otherwise the GID is simply not resolvable." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4149 msgid "" "This feature is useful for environments that wish to stop maintaining a " "separate group objects for the user private groups, but also wish to retain " "the existing user private groups." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4098 msgid "" "This option takes any of three available values: <placeholder " "type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4161 msgid "" "For subdomains, the default value is False for subdomains that use assigned " "POSIX IDs and True for subdomains that use automatic ID-mapping." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> #: sssd.conf.5.xml:4169 #, no-wrap msgid "" "[domain/forest.domain/sub.domain]\n" "auto_private_groups = false\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> #: sssd.conf.5.xml:4175 #, no-wrap msgid "" "[domain/forest.domain]\n" "subdomain_inherit = auto_private_groups\n" "auto_private_groups = false\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4166 msgid "" "The value of auto_private_groups can either be set per subdomains in a " "subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or " "globally for all subdomains in the main domain section using the " "subdomain_inherit option: <placeholder type=\"programlisting\" id=\"1\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:2570 msgid "" "These configuration options can be present in a domain configuration " "section, that is, in a section called <quote>[domain/<replaceable>NAME</" "replaceable>]</quote> <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4190 msgid "proxy_pam_target (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4193 msgid "The proxy target PAM proxies to." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4196 msgid "" "Default: not set by default, you have to take an existing pam configuration " "or create a new one and add the service name here. As an alternative you can " "enable local authentication with the local_auth_policy option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4206 msgid "proxy_lib_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4209 msgid "" "The name of the NSS library to use in proxy domains. The NSS functions " "searched for in the library are in the form of _nss_$(libName)_$(function), " "for example _nss_files_getpwent." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4219 msgid "proxy_resolver_lib_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4222 msgid "" "The name of the NSS library to use for hosts and networks lookups in proxy " "domains. The NSS functions searched for in the library are in the form of " "_nss_$(libName)_$(function), for example _nss_dns_gethostbyname2_r." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4233 msgid "proxy_fast_alias (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4236 msgid "" "When a user or group is looked up by name in the proxy provider, a second " "lookup by ID is performed to \"canonicalize\" the name in case the requested " "name was an alias. Setting this option to true would cause the SSSD to " "perform the ID lookup from cache for performance reasons." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4250 msgid "proxy_max_children (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4253 msgid "" "This option specifies the number of pre-forked proxy children. It is useful " "for high-load SSSD environments where sssd may run out of available child " "slots, which would cause some issues due to the requests being queued." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4186 msgid "" "Options valid for proxy domains. <placeholder type=\"variablelist\" " "id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd.conf.5.xml:4269 msgid "Application domains" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd.conf.5.xml:4271 msgid "" "SSSD, with its D-Bus interface (see <citerefentry> <refentrytitle>sssd-ifp</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>) is appealing to " "applications as a gateway to an LDAP directory where users and groups are " "stored. However, contrary to the traditional SSSD deployment where all users " "and groups either have POSIX attributes or those attributes can be inferred " "from the Windows SIDs, in many cases the users and groups in the application " "support scenario have no POSIX attributes. Instead of setting a " "<quote>[domain/<replaceable>NAME</replaceable>]</quote> section, the " "administrator can set up an <quote>[application/<replaceable>NAME</" "replaceable>]</quote> section that internally represents a domain with type " "<quote>application</quote> optionally inherits settings from a tradition " "SSSD domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd.conf.5.xml:4291 msgid "" "Please note that the application domain must still be explicitly enabled in " "the <quote>domains</quote> parameter so that the lookup order between the " "application domain and its POSIX sibling domain is set correctly." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> #: sssd.conf.5.xml:4297 msgid "Application domain parameters" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:4299 msgid "inherit_from (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4302 msgid "" "The SSSD POSIX-type domain the application domain inherits all settings " "from. The application domain can moreover add its own settings to the " "application settings that augment or override the <quote>sibling</quote> " "domain settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd.conf.5.xml:4316 msgid "" "The following example illustrates the use of an application domain. In this " "setup, the POSIX domain is connected to an LDAP server and is used by the OS " "through the NSS responder. In addition, the application domain also requests " "the telephoneNumber attribute, stores it as the phone attribute in the cache " "and makes the phone attribute reachable through the D-Bus interface." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting> #: sssd.conf.5.xml:4324 #, no-wrap msgid "" "[sssd]\n" "domains = appdom, posixdom\n" "\n" "[ifp]\n" "user_attributes = +phone\n" "\n" "[domain/posixdom]\n" "id_provider = ldap\n" "ldap_uri = ldap://ldap.example.com\n" "ldap_search_base = dc=example,dc=com\n" "\n" "[application/appdom]\n" "inherit_from = posixdom\n" "ldap_user_extra_attrs = phone:telephoneNumber\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd.conf.5.xml:4344 msgid "TRUSTED DOMAIN SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4346 msgid "" "Some options used in the domain section can also be used in the trusted " "domain section, that is, in a section called <quote>[domain/" "<replaceable>DOMAIN_NAME</replaceable>/<replaceable>TRUSTED_DOMAIN_NAME</" "replaceable>]</quote>. Where DOMAIN_NAME is the actual joined-to base " "domain. Please refer to examples below for explanation. Currently supported " "options in the trusted domain section are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4353 msgid "ldap_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4354 msgid "ldap_user_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4355 msgid "ldap_group_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4356 msgid "ldap_netgroup_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4357 msgid "ldap_service_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4358 msgid "ldap_sasl_mech," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4359 msgid "ad_server," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4360 msgid "ad_backup_server," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4361 msgid "ad_site," msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:4362 sssd-ipa.5.xml:884 msgid "use_fully_qualified_names" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4366 msgid "" "For more details about these options see their individual description in the " "manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd.conf.5.xml:4372 msgid "CERTIFICATE MAPPING SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4374 msgid "" "To allow authentication with Smartcards and certificates SSSD must be able " "to map certificates to users. This can be done by adding the full " "certificate to the LDAP object of the user or to a local override. While " "using the full certificate is required to use the Smartcard authentication " "feature of SSH (see <citerefentry> <refentrytitle>sss_ssh_authorizedkeys</" "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> for details) it " "might be cumbersome or not even possible to do this for the general case " "where local services use PAM for authentication." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4388 msgid "" "To make the mapping more flexible mapping and matching rules were added to " "SSSD (see <citerefentry> <refentrytitle>sss-certmap</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry> for details)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4397 msgid "" "A mapping and matching rule can be added to the SSSD configuration in a " "section on its own with a name like <quote>[certmap/" "<replaceable>DOMAIN_NAME</replaceable>/<replaceable>RULE_NAME</" "replaceable>]</quote>. In this section the following options are allowed:" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.conf.5.xml:4404 msgid "matchrule (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4407 msgid "" "Only certificates from the Smartcard which matches this rule will be " "processed, all others are ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4411 msgid "" "Default: KRB5:<EKU>clientAuth, i.e. only certificates which have the " "Extended Key Usage <quote>clientAuth</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.conf.5.xml:4418 msgid "maprule (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4421 msgid "Defines how the user is found for a given certificate." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:4427 msgid "" "LDAP:(userCertificate;binary={cert!bin}) for LDAP based providers like " "<quote>ldap</quote>, <quote>AD</quote> or <quote>ipa</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:4433 msgid "" "The RULE_NAME for the <quote>files</quote> provider which tries to find a " "user with the same name." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.conf.5.xml:4442 msgid "domains (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4445 msgid "" "Comma separated list of domain names the rule should be applied. By default " "a rule is only valid in the domain configured in sssd.conf. If the provider " "supports subdomains this option can be used to add the rule to subdomains as " "well." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4452 msgid "Default: the configured domain in sssd.conf" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.conf.5.xml:4457 msgid "priority (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4460 msgid "" "Unsigned integer value defining the priority of the rule. The higher the " "number the lower the priority. <quote>0</quote> stands for the highest " "priority while <quote>4294967295</quote> is the lowest." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4466 msgid "Default: the lowest priority" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4472 msgid "" "To make the configuration simple and reduce the amount of configuration " "options the <quote>files</quote> provider has some special properties:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:4478 msgid "" "if maprule is not set the RULE_NAME name is assumed to be the name of the " "matching user" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:4484 msgid "" "if a maprule is used both a single user name or a template like " "<quote>{subject_rfc822_name.short_name}</quote> must be in braces like e.g. " "<quote>(username)</quote> or <quote>({subject_rfc822_name.short_name})</" "quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:4493 msgid "the <quote>domains</quote> option is ignored" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd.conf.5.xml:4501 msgid "PROMPTING CONFIGURATION SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4503 msgid "" "If a special file (<filename>/var/lib/sss/pubconf/pam_preauth_available</" "filename>) exists SSSD's PAM module pam_sss will ask SSSD to figure out " "which authentication methods are available for the user trying to log in. " "Based on the results pam_sss will prompt the user for appropriate " "credentials." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4511 msgid "" "With the growing number of authentication methods and the possibility that " "there are multiple ones for a single user the heuristic used by pam_sss to " "select the prompting might not be suitable for all use cases. The following " "options should provide a better flexibility here." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4523 msgid "[prompting/password]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4526 msgid "password_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4527 msgid "to change the string of the password prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4525 msgid "" "to configure password prompting, allowed options are: <placeholder " "type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4535 msgid "[prompting/2fa]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4539 msgid "first_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4540 msgid "to change the string of the prompt for the first factor" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4543 msgid "second_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4544 msgid "to change the string of the prompt for the second factor" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4547 msgid "single_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4548 msgid "" "boolean value, if True there will be only a single prompt using the value of " "first_prompt where it is expected that both factors are entered as a single " "string. Please note that both factors have to be entered here, even if the " "second factor is optional." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4537 msgid "" "to configure two-factor authentication prompting, allowed options are: " "<placeholder type=\"variablelist\" id=\"0\"/> If the second factor is " "optional and it should be possible to log in either only with the password " "or with both factors two-step prompting has to be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4565 msgid "[prompting/passkey]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:4571 sssd-ad.5.xml:1021 msgid "interactive" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4573 msgid "" "boolean value, if True prompt a message and wait before testing the presence " "of a passkey device. Recommended if your device doesn’t have a tactile " "trigger." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4581 msgid "interactive_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4583 msgid "to change the message of the interactive prompt." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4588 msgid "touch" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4590 msgid "" "boolean value, if True prompt a message to remind the user to touch the " "device." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4596 msgid "touch_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4598 msgid "to change the message of the touch prompt." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4567 msgid "" "to configure passkey authentication prompting, allowed options are: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4518 msgid "" "Each supported authentication method has its own configuration subsection " "under <quote>[prompting/...]</quote>. Currently there are: <placeholder " "type=\"variablelist\" id=\"0\"/> <placeholder type=\"variablelist\" id=\"1\"/" "> <placeholder type=\"variablelist\" id=\"2\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4609 msgid "" "It is possible to add a subsection for specific PAM services, e.g. " "<quote>[prompting/password/sshd]</quote> to individual change the prompting " "for this service." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd.conf.5.xml:4616 pam_sss_gss.8.xml:157 idmap_sss.8.xml:43 msgid "EXAMPLES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd.conf.5.xml:4622 #, no-wrap msgid "" "[sssd]\n" "domains = LDAP\n" "services = nss, pam\n" "config_file_version = 2\n" "\n" "[nss]\n" "filter_groups = root\n" "filter_users = root\n" "\n" "[pam]\n" "\n" "[domain/LDAP]\n" "id_provider = ldap\n" "ldap_uri = ldap://ldap.example.com\n" "ldap_search_base = dc=example,dc=com\n" "\n" "auth_provider = krb5\n" "krb5_server = kerberos.example.com\n" "krb5_realm = EXAMPLE.COM\n" "cache_credentials = true\n" "\n" "min_id = 10000\n" "max_id = 20000\n" "enumerate = False\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4618 msgid "" "1. The following example shows a typical SSSD config. It does not describe " "configuration of the domains themselves - refer to documentation on " "configuring domains for more details. <placeholder type=\"programlisting\" " "id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd.conf.5.xml:4655 #, no-wrap msgid "" "[domain/ipa.com/child.ad.com]\n" "use_fully_qualified_names = false\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4649 msgid "" "2. The following example shows configuration of IPA AD trust where the AD " "forest consists of two domains in a parent-child structure. Suppose IPA " "domain (ipa.com) has trust with AD domain(ad.com). ad.com has child domain " "(child.ad.com). To enable shortnames in the child domain the following " "configuration should be used. <placeholder type=\"programlisting\" id=\"0\"/" ">" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd.conf.5.xml:4666 #, no-wrap msgid "" "[certmap/my.domain/rule_name]\n" "matchrule = <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$\n" "maprule = (userCertificate;binary={cert!bin})\n" "domains = my.domain, your.domain\n" "priority = 10\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4660 msgid "" "3. The following example shows the configuration of a certificate mapping " "rule. It is valid for the configured domain <quote>my.domain</quote> and " "additionally for the subdomains <quote>your.domain</quote> and uses the full " "certificate in the search filter. <placeholder type=\"programlisting\" " "id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssd-ldap.5.xml:10 sssd-ldap.5.xml:16 msgid "sssd-ldap" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sssd-ldap.5.xml:17 msgid "SSSD LDAP provider" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap.5.xml:21 pam_sss.8.xml:63 pam_sss_gss.8.xml:30 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sss-certmap.5.xml:21 #: sssd-ipa.5.xml:21 sssd-ad.5.xml:21 sssd-sudo.5.xml:21 sssd.8.xml:29 #: sss_obfuscate.8.xml:30 sss_override.8.xml:30 sssd-krb5.5.xml:21 #: sss_cache.8.xml:29 sss_debuglevel.8.xml:30 sss_seed.8.xml:31 #: sssd-ifp.5.xml:21 sss_ssh_authorizedkeys.1.xml:30 #: sss_ssh_knownhostsproxy.1.xml:31 idmap_sss.8.xml:20 sssctl.8.xml:30 #: sssd-files.5.xml:21 sssd-session-recording.5.xml:21 sssd-kcm.8.xml:21 #: sssd-systemtap.5.xml:21 sssd-ldap-attributes.5.xml:21 #: sssd_krb5_localauth_plugin.8.xml:20 msgid "DESCRIPTION" msgstr "POPIS" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ldap.5.xml:23 msgid "" "This manual page describes the configuration of LDAP domains for " "<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " "</citerefentry>. Refer to the <quote>FILE FORMAT</quote> section of the " "<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry> manual page for detailed syntax information." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ldap.5.xml:35 msgid "You can configure SSSD to use more than one LDAP domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ldap.5.xml:38 msgid "" "LDAP back end supports id, auth, access and chpass providers. If you want to " "authenticate against an LDAP server either TLS/SSL or LDAPS is required. " "<command>sssd</command> <emphasis>does not</emphasis> support authentication " "over an unencrypted channel. Even if the LDAP server is used only as an " "identity provider, an encrypted channel is strongly recommended. Please " "refer to <quote>ldap_access_filter</quote> config option for more " "information about using LDAP as an access provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap.5.xml:50 sssd-simple.5.xml:69 sssd-ipa.5.xml:82 sssd-ad.5.xml:130 #: sssd-krb5.5.xml:63 sssd-ifp.5.xml:60 sssd-files.5.xml:77 #: sssd-session-recording.5.xml:58 sssd-kcm.8.xml:202 msgid "CONFIGURATION OPTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:67 msgid "ldap_uri, ldap_backup_uri (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:70 msgid "" "Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " "should connect in the order of preference. Refer to the <quote>FAILOVER</" "quote> section for more information on failover and server redundancy. If " "neither option is specified, service discovery is enabled. For more " "information, refer to the <quote>SERVICE DISCOVERY</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:77 msgid "The format of the URI must match the format defined in RFC 2732:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:80 msgid "ldap[s]://<host>[:port]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:83 msgid "" "For explicit IPv6 addresses, <host> must be enclosed in brackets []" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:86 msgid "example: ldap://[fc00::126:25]:389" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:92 msgid "ldap_chpass_uri, ldap_chpass_backup_uri (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:95 msgid "" "Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " "should connect in the order of preference to change the password of a user. " "Refer to the <quote>FAILOVER</quote> section for more information on " "failover and server redundancy." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:102 msgid "To enable service discovery ldap_chpass_dns_service_name must be set." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:106 msgid "Default: empty, i.e. ldap_uri is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:112 msgid "ldap_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:115 msgid "The default base DN to use for performing LDAP user operations." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:119 msgid "" "Starting with SSSD 1.7.0, SSSD supports multiple search bases using the " "syntax:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:123 msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:126 msgid "The scope can be one of \"base\", \"onelevel\" or \"subtree\"." msgstr "" #. type: Content of: <listitem><para> #: sssd-ldap.5.xml:129 include/ldap_search_bases.xml:18 msgid "" "The filter must be a valid LDAP search filter as specified by http://www." "ietf.org/rfc/rfc2254.txt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:133 sssd-ad.5.xml:311 sss_override.8.xml:143 #: sss_override.8.xml:240 sssd-ldap-attributes.5.xml:453 msgid "Examples:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:136 msgid "" "ldap_search_base = dc=example,dc=com (which is equivalent to) " "ldap_search_base = dc=example,dc=com?subtree?" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:141 msgid "" "ldap_search_base = cn=host_specific,dc=example,dc=com?subtree?" "(host=thishost)?dc=example.com?subtree?" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:144 msgid "" "Note: It is unsupported to have multiple search bases which reference " "identically-named objects (for example, groups with the same name in two " "different search bases). This will lead to unpredictable behavior on client " "machines." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:151 msgid "" "Default: If not set, the value of the defaultNamingContext or namingContexts " "attribute from the RootDSE of the LDAP server is used. If " "defaultNamingContext does not exist or has an empty value namingContexts is " "used. The namingContexts attribute must have a single value with the DN of " "the search base of the LDAP server to make this work. Multiple values are " "are not supported." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:165 msgid "ldap_schema (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:168 msgid "" "Specifies the Schema Type in use on the target LDAP server. Depending on " "the selected schema, the default attribute names retrieved from the servers " "may vary. The way that some attributes are handled may also differ." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:175 msgid "Four schema types are currently supported:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ldap.5.xml:179 msgid "rfc2307" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ldap.5.xml:184 msgid "rfc2307bis" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:200 msgid "" "The main difference between these schema types is how group memberships are " "recorded in the server. With rfc2307, group members are listed by name in " "the <emphasis>memberUid</emphasis> attribute. With rfc2307bis and IPA, " "group members are listed by DN and stored in the <emphasis>member</emphasis> " "attribute. The AD schema type sets the attributes to correspond with Active " "Directory 2008r2 values." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:210 msgid "Default: rfc2307" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:216 msgid "ldap_pwmodify_mode (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:219 msgid "Specify the operation that is used to modify user password." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:223 msgid "Two modes are currently supported:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ldap.5.xml:227 msgid "exop - Password Modify Extended Operation (RFC 3062)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ldap.5.xml:233 msgid "ldap_modify - Direct modification of userPassword (not recommended)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:240 msgid "" "Note: First, a new connection is established to verify current password by " "binding as the user that requested password change. If successful, this " "connection is used to change the password therefore the user must have write " "access to userPassword attribute." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:248 msgid "Default: exop" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:254 msgid "ldap_default_bind_dn (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:257 msgid "The default bind DN to use for performing LDAP operations." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:264 msgid "ldap_default_authtok_type (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:267 msgid "The type of the authentication token of the default bind DN." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:271 msgid "The two mechanisms currently supported are:" msgstr "" # auto translated by TM merge from project: FreeIPA, version: ipa-4-5, DocId: # po/ipa #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:274 msgid "password" msgstr "heslo" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:277 msgid "obfuscated_password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:280 msgid "Default: password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:283 msgid "" "See the <citerefentry> <refentrytitle>sss_obfuscate</refentrytitle> " "<manvolnum>8</manvolnum> </citerefentry> manual page for more information." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:294 msgid "ldap_default_authtok (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:297 msgid "The authentication token of the default bind DN." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:303 msgid "ldap_force_upper_case_realm (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:306 msgid "" "Some directory servers, for example Active Directory, might deliver the " "realm part of the UPN in lower case, which might cause the authentication to " "fail. Set this option to a non-zero value if you want to use an upper-case " "realm." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:319 msgid "ldap_enumeration_refresh_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:322 msgid "" "Specifies how many seconds SSSD has to wait before refreshing its cache of " "enumerated records." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:338 msgid "ldap_purge_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:341 msgid "" "Determine how often to check the cache for inactive entries (such as groups " "with no members and users who have never logged in) and remove them to save " "space." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:347 msgid "" "Setting this option to zero will disable the cache cleanup operation. Please " "note that if enumeration is enabled, the cleanup task is required in order " "to detect entries removed from the server and can't be disabled. By default, " "the cleanup task will run every 3 hours with enumeration enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:367 msgid "ldap_group_nesting_level (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:370 msgid "" "If ldap_schema is set to a schema format that supports nested groups (e.g. " "RFC2307bis), then this option controls how many levels of nesting SSSD will " "follow. This option has no effect on the RFC2307 schema." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:377 msgid "" "Note: This option specifies the guaranteed level of nested groups to be " "processed for any lookup. However, nested groups beyond this limit " "<emphasis>may be</emphasis> returned if previous lookups already resolved " "the deeper nesting levels. Also, subsequent lookups for other groups may " "enlarge the result set for original lookup if re-queried." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:386 msgid "" "If ldap_group_nesting_level is set to 0 then no nested groups are processed " "at all. However, when connected to Active-Directory Server 2008 and later " "using <quote>id_provider=ad</quote> it is furthermore required to disable " "usage of Token-Groups by setting ldap_use_tokengroups to false in order to " "restrict group nesting." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:395 msgid "Default: 2" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:404 msgid "" "This options enables or disables use of Token-Groups attribute when " "performing initgroup for users from Active Directory Server 2008 and later." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:414 msgid "Default: True for AD and IPA otherwise False." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:420 msgid "ldap_host_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:423 msgid "Optional. Use the given string as search base for host objects." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:427 sssd-ipa.5.xml:462 sssd-ipa.5.xml:481 sssd-ipa.5.xml:500 #: sssd-ipa.5.xml:519 msgid "" "See <quote>ldap_search_base</quote> for information about configuring " "multiple search bases." msgstr "" #. type: Content of: <listitem><para> #: sssd-ldap.5.xml:432 sssd-ipa.5.xml:467 include/ldap_search_bases.xml:27 msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:439 msgid "ldap_service_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:444 msgid "ldap_iphost_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:449 msgid "ldap_ipnetwork_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:454 msgid "ldap_search_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:457 msgid "" "Specifies the timeout (in seconds) that ldap searches are allowed to run " "before they are cancelled and cached results are returned (and offline mode " "is entered)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:463 msgid "" "Note: this option is subject to change in future versions of the SSSD. It " "will likely be replaced at some point by a series of timeouts for specific " "lookup types." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:480 msgid "ldap_enumeration_search_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:483 msgid "" "Specifies the timeout (in seconds) that ldap searches for user and group " "enumerations are allowed to run before they are cancelled and cached results " "are returned (and offline mode is entered)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:501 msgid "ldap_network_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:504 msgid "" "Specifies the timeout (in seconds) after which the <citerefentry> " "<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> </citerefentry>/" "<citerefentry> <refentrytitle>select</refentrytitle> <manvolnum>2</" "manvolnum> </citerefentry> following a <citerefentry> " "<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> </" "citerefentry> returns in case of no activity." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:532 msgid "ldap_opt_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:535 msgid "" "Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " "will abort if no response is received. Also controls the timeout when " "communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " "operation, password change extended operation and the StartTLS operation." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:555 msgid "ldap_connection_expire_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:558 msgid "" "Specifies a timeout (in seconds) that a connection to an LDAP server will be " "maintained. After this time, the connection will be re-established. If used " "in parallel with SASL/GSSAPI, the sooner of the two values (this value vs. " "the TGT lifetime) will be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:566 msgid "" "If the connection is idle (not actively running an operation) within " "<emphasis>ldap_opt_timeout</emphasis> seconds of expiration, then it will be " "closed early to ensure that a new query cannot require the connection to " "remain open past its expiration. This implies that connections will always " "be closed immediately and will never be reused if " "<emphasis>ldap_connection_expire_timeout <= ldap_opt_timout</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:578 msgid "" "This timeout can be extended of a random value specified by " "<emphasis>ldap_connection_expire_offset</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:588 sssd-ldap.5.xml:631 sssd-ldap.5.xml:1713 msgid "Default: 900 (15 minutes)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:594 msgid "ldap_connection_expire_offset (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:597 msgid "" "Random offset between 0 and configured value is added to " "<emphasis>ldap_connection_expire_timeout</emphasis>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:613 #, fuzzy #| msgid "dns_resolver_op_timeout" msgid "ldap_connection_idle_timeout (integer)" msgstr "dns_resolver_op_timeout" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:616 msgid "" "Specifies a timeout (in seconds) that an idle connection to an LDAP server " "will be maintained. If the connection is idle for more than this time then " "the connection will be closed." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:622 msgid "You can disable this timeout by setting the value to 0." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:637 msgid "ldap_page_size (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:640 msgid "" "Specify the number of records to retrieve from LDAP in a single request. " "Some LDAP servers enforce a maximum limit per-request." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:651 msgid "ldap_disable_paging (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:654 msgid "" "Disable the LDAP paging control. This option should be used if the LDAP " "server reports that it supports the LDAP paging control in its RootDSE but " "it is not enabled or does not behave properly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:660 msgid "" "Example: OpenLDAP servers with the paging control module installed on the " "server but not enabled will report it in the RootDSE but be unable to use it." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:666 msgid "" "Example: 389 DS has a bug where it can only support a one paging control at " "a time on a single connection. On busy clients, this can result in some " "requests being denied." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:678 msgid "ldap_disable_range_retrieval (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:681 msgid "Disable Active Directory range retrieval." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:684 msgid "" "Active Directory limits the number of members to be retrieved in a single " "lookup using the MaxValRange policy (which defaults to 1500 members). If a " "group contains more members, the reply would include an AD-specific range " "extension. This option disables parsing of the range extension, therefore " "large groups will appear as having no members." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:699 msgid "ldap_sasl_minssf (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:702 msgid "" "When communicating with an LDAP server using SASL, specify the minimum " "security level necessary to establish the connection. The values of this " "option are defined by OpenLDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:708 sssd-ldap.5.xml:724 msgid "Default: Use the system default (usually specified by ldap.conf)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:715 msgid "ldap_sasl_maxssf (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:718 msgid "" "When communicating with an LDAP server using SASL, specify the maximal " "security level necessary to establish the connection. The values of this " "option are defined by OpenLDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:731 msgid "ldap_deref_threshold (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:734 msgid "" "Specify the number of group members that must be missing from the internal " "cache in order to trigger a dereference lookup. If less members are missing, " "they are looked up individually." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:740 msgid "" "You can turn off dereference lookups completely by setting the value to 0. " "Please note that there are some codepaths in SSSD, like the IPA HBAC " "provider, that are only implemented using the dereference call, so even with " "dereference explicitly disabled, those parts will still use dereference if " "the server supports it and advertises the dereference control in the rootDSE " "object." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:751 msgid "" "A dereference lookup is a means of fetching all group members in a single " "LDAP call. Different LDAP servers may implement different dereference " "methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " "Directory." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:759 msgid "" "<emphasis>Note:</emphasis> If any of the search bases specifies a search " "filter, then the dereference lookup performance enhancement will be disabled " "regardless of this setting." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:772 msgid "ldap_ignore_unreadable_references (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:775 msgid "" "Ignore unreadable LDAP entries referenced in group's member attribute. If " "this parameter is set to false an error will be returned and the operation " "will fail instead of just ignoring the unreadable entry." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:782 msgid "" "This parameter may be useful when using the AD provider and the computer " "account that sssd uses to connect to AD does not have access to a particular " "entry or LDAP sub-tree for security reasons." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:795 msgid "ldap_tls_reqcert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:798 msgid "" "Specifies what checks to perform on server certificates in a TLS session, if " "any. It can be specified as one of the following values:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:804 msgid "" "<emphasis>never</emphasis> = The client will not request or check any server " "certificate." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:808 msgid "" "<emphasis>allow</emphasis> = The server certificate is requested. If no " "certificate is provided, the session proceeds normally. If a bad certificate " "is provided, it will be ignored and the session proceeds normally." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:815 msgid "" "<emphasis>try</emphasis> = The server certificate is requested. If no " "certificate is provided, the session proceeds normally. If a bad certificate " "is provided, the session is immediately terminated." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:821 msgid "" "<emphasis>demand</emphasis> = The server certificate is requested. If no " "certificate is provided, or a bad certificate is provided, the session is " "immediately terminated." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:827 msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:831 msgid "Default: hard" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:837 msgid "ldap_tls_cacert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:840 msgid "" "Specifies the file that contains certificates for all of the Certificate " "Authorities that <command>sssd</command> will recognize." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:845 sssd-ldap.5.xml:863 sssd-ldap.5.xml:904 msgid "" "Default: use OpenLDAP defaults, typically in <filename>/etc/openldap/ldap." "conf</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:852 msgid "ldap_tls_cacertdir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:855 msgid "" "Specifies the path of a directory that contains Certificate Authority " "certificates in separate individual files. Typically the file names need to " "be the hash of the certificate followed by '.0'. If available, " "<command>cacertdir_rehash</command> can be used to create the correct names." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:870 msgid "ldap_tls_cert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:873 msgid "Specifies the file that contains the certificate for the client's key." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:883 msgid "ldap_tls_key (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:886 msgid "Specifies the file that contains the client's key." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:895 msgid "ldap_tls_cipher_suite (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:898 msgid "" "Specifies acceptable cipher suites. Typically this is a colon separated " "list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " "<manvolnum>5</manvolnum></citerefentry> for format." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:911 msgid "ldap_id_use_start_tls (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:914 msgid "" "Specifies that the id_provider connection must also use <systemitem " "class=\"protocol\">tls</systemitem> to protect the channel. <emphasis>true</" "emphasis> is strongly recommended for security reasons." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:925 msgid "ldap_id_mapping (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:928 msgid "" "Specifies that SSSD should attempt to map user and group IDs from the " "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " "on ldap_user_uid_number and ldap_group_gid_number." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:934 msgid "Currently this feature supports only ActiveDirectory objectSID mapping." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:944 msgid "ldap_min_id, ldap_max_id (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:947 msgid "" "In contrast to the SID based ID mapping which is used if ldap_id_mapping is " "set to true the allowed ID range for ldap_user_uid_number and " "ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " "might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " "can be set to restrict the allowed range for the IDs which are read directly " "from the server. Sub-domains can then pick other ranges to map IDs." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:959 msgid "Default: not set (both options are set to 0)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:965 msgid "ldap_sasl_mech (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:968 msgid "" "Specify the SASL mechanism to use. Currently only GSSAPI and GSS-SPNEGO are " "tested and supported." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:972 msgid "" "If the backend supports sub-domains the value of ldap_sasl_mech is " "automatically inherited to the sub-domains. If a different value is needed " "for a sub-domain it can be overwritten by setting ldap_sasl_mech for this " "sub-domain explicitly. Please see TRUSTED DOMAIN SECTION in " "<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" "manvolnum></citerefentry> for details." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:988 msgid "ldap_sasl_authid (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> #: sssd-ldap.5.xml:1000 #, no-wrap msgid "" "hostname@REALM\n" "netbiosname$@REALM\n" "host/hostname@REALM\n" "*$@REALM\n" "host/*@REALM\n" "host/*\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:991 msgid "" "Specify the SASL authorization id to use. When GSSAPI/GSS-SPNEGO are used, " "this represents the Kerberos principal used for authentication to the " "directory. This option can either contain the full principal (for example " "host/myhost@EXAMPLE.COM) or just the principal name (for example host/" "myhost). By default, the value is not set and the following principals are " "used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them are " "found, the first principal in keytab is returned." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1011 msgid "Default: host/hostname@REALM" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1017 msgid "ldap_sasl_realm (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1020 msgid "" "Specify the SASL realm to use. When not specified, this option defaults to " "the value of krb5_realm. If the ldap_sasl_authid contains the realm as " "well, this option is ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1026 msgid "Default: the value of krb5_realm." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1032 msgid "ldap_sasl_canonicalize (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1035 msgid "" "If set to true, the LDAP library would perform a reverse lookup to " "canonicalize the host name during a SASL bind." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1040 msgid "Default: false;" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1046 msgid "ldap_krb5_keytab (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1049 msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1058 sssd-krb5.5.xml:247 msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1064 msgid "ldap_krb5_init_creds (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1067 msgid "" "Specifies that the id_provider should init Kerberos credentials (TGT). This " "action is performed only if SASL is used and the mechanism selected is " "GSSAPI or GSS-SPNEGO." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1079 msgid "ldap_krb5_ticket_lifetime (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1082 msgid "" "Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1091 sssd-ad.5.xml:1252 msgid "Default: 86400 (24 hours)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1097 sssd-krb5.5.xml:74 msgid "krb5_server, krb5_backup_server (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1100 msgid "" "Specifies the comma-separated list of IP addresses or hostnames of the " "Kerberos servers to which SSSD should connect in the order of preference. " "For more information on failover and server redundancy, see the " "<quote>FAILOVER</quote> section. An optional port number (preceded by a " "colon) may be appended to the addresses or hostnames. If empty, service " "discovery is enabled - for more information, refer to the <quote>SERVICE " "DISCOVERY</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1112 sssd-krb5.5.xml:89 msgid "" "When using service discovery for KDC or kpasswd servers, SSSD first searches " "for DNS entries that specify _udp as the protocol and falls back to _tcp if " "none are found." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1117 sssd-krb5.5.xml:94 msgid "" "This option was named <quote>krb5_kdcip</quote> in earlier releases of SSSD. " "While the legacy name is recognized for the time being, users are advised to " "migrate their config files to use <quote>krb5_server</quote> instead." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1126 sssd-ipa.5.xml:531 sssd-krb5.5.xml:103 msgid "krb5_realm (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1129 msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1133 msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" msgstr "" #. type: Content of: <variablelist><varlistentry><term> #: sssd-ldap.5.xml:1139 include/krb5_options.xml:154 msgid "krb5_canonicalize (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1142 msgid "" "Specifies if the host principal should be canonicalized when connecting to " "LDAP server. This feature is available with MIT Kerberos >= 1.7" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1154 sssd-krb5.5.xml:336 msgid "krb5_use_kdcinfo (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1157 sssd-krb5.5.xml:339 msgid "" "Specifies if the SSSD should instruct the Kerberos libraries what realm and " "which KDCs to use. This option is on by default, if you disable it, you need " "to configure the Kerberos library using the <citerefentry> " "<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" "citerefentry> configuration file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1168 sssd-krb5.5.xml:350 msgid "" "See the <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page for more " "information on the locator plugin." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1182 msgid "ldap_pwd_policy (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1185 msgid "" "Select the policy to evaluate the password expiration on the client side. " "The following values are allowed:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1190 msgid "" "<emphasis>none</emphasis> - No evaluation on the client side. This option " "cannot disable server-side password policies." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1195 msgid "" "<emphasis>shadow</emphasis> - Use <citerefentry><refentrytitle>shadow</" "refentrytitle> <manvolnum>5</manvolnum></citerefentry> style attributes to " "evaluate if the password has expired. Please see option " "\"ldap_chpass_update_last_change\" as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1203 msgid "" "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " "to determine if the password has expired. Use chpass_provider=krb5 to update " "these attributes when the password is changed." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1212 msgid "" "<emphasis>Note</emphasis>: if a password policy is configured on server " "side, it always takes precedence over policy set with this option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1220 msgid "ldap_referrals (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1223 msgid "Specifies whether automatic referral chasing should be enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1227 msgid "" "Please note that sssd only supports referral chasing when it is compiled " "with OpenLDAP version 2.4.13 or higher." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1232 msgid "" "Chasing referrals may incur a performance penalty in environments that use " "them heavily, a notable example is Microsoft Active Directory. If your setup " "does not in fact require the use of referrals, setting this option to false " "might bring a noticeable performance improvement. Setting this option to " "false is therefore recommended in case the SSSD LDAP provider is used " "together with Microsoft Active Directory as a backend. Even if SSSD would be " "able to follow the referral to a different AD DC no additional data would be " "available." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1251 msgid "ldap_dns_service_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1254 msgid "Specifies the service name to use when service discovery is enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1258 msgid "Default: ldap" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1264 msgid "ldap_chpass_dns_service_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1267 msgid "" "Specifies the service name to use to find an LDAP server which allows " "password changes when service discovery is enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1272 msgid "Default: not set, i.e. service discovery is disabled" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1278 msgid "ldap_chpass_update_last_change (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1281 msgid "" "Specifies whether to update the ldap_user_shadow_last_change attribute with " "days since the Epoch after a password change operation." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1287 msgid "" "It is recommend to set this option explicitly if \"ldap_pwd_policy = " "shadow\" is used to let SSSD know if the LDAP server will update " "shadowLastChange LDAP attribute automatically after a password change or if " "SSSD has to update it." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1301 msgid "ldap_access_filter (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1304 msgid "" "If using access_provider = ldap and ldap_access_order = filter (default), " "this option is mandatory. It specifies an LDAP search filter criteria that " "must be met for the user to be granted access on this host. If " "access_provider = ldap, ldap_access_order = filter and this option is not " "set, it will result in all users being denied access. Use access_provider = " "permit to change this default behavior. Please note that this filter is " "applied on the LDAP user entry only and thus filtering based on nested " "groups may not work (e.g. memberOf attribute on AD entries points only to " "direct parents). If filtering based on nested groups is required, please see " "<citerefentry> <refentrytitle>sssd-simple</refentrytitle><manvolnum>5</" "manvolnum> </citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1324 msgid "Example:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> #: sssd-ldap.5.xml:1327 #, no-wrap msgid "" "access_provider = ldap\n" "ldap_access_filter = (employeeType=admin)\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1331 msgid "" "This example means that access to this host is restricted to users whose " "employeeType attribute is set to \"admin\"." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1336 msgid "" "Offline caching for this feature is limited to determining whether the " "user's last online login was granted access permission. If they were granted " "access during their last login, they will continue to be granted access " "while offline and vice versa." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1344 sssd-ldap.5.xml:1400 msgid "Default: Empty" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1350 msgid "ldap_account_expire_policy (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1353 msgid "" "With this option a client side evaluation of access control attributes can " "be enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1357 msgid "" "Please note that it is always recommended to use server side access control, " "i.e. the LDAP server should deny the bind request with a suitable error code " "even if the password is correct." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1364 msgid "The following values are allowed:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1367 msgid "" "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " "determine if the account is expired." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1372 msgid "" "<emphasis>ad</emphasis>: use the value of the 32bit field " "ldap_user_ad_user_account_control and allow access if the second bit is not " "set. If the attribute is missing access is granted. Also the expiration time " "of the account is checked." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1379 msgid "" "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, <emphasis>389ds</" "emphasis>: use the value of ldap_ns_account_lock to check if access is " "allowed or not." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1385 msgid "" "<emphasis>nds</emphasis>: the values of " "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " "ldap_user_nds_login_expiration_time are used to check if access is allowed. " "If both attributes are missing access is granted." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1393 msgid "" "Please note that the ldap_access_order configuration option <emphasis>must</" "emphasis> include <quote>expire</quote> in order for the " "ldap_account_expire_policy option to work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1406 msgid "ldap_access_order (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1409 sssd-ipa.5.xml:356 msgid "Comma separated list of access control options. Allowed values are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1413 msgid "<emphasis>filter</emphasis>: use ldap_access_filter" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1416 msgid "" "<emphasis>lockout</emphasis>: use account locking. If set, this option " "denies access in case that ldap attribute 'pwdAccountLockedTime' is present " "and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " "Please note that 'access_provider = ldap' must be set for this feature to " "work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1426 msgid "" "<emphasis> Please note that this option is superseded by the <quote>ppolicy</" "quote> option and might be removed in a future release. </emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1433 msgid "" "<emphasis>ppolicy</emphasis>: use account locking. If set, this option " "denies access in case that ldap attribute 'pwdAccountLockedTime' is present " "and has value of '000001010000Z' or represents any time in the past. The " "value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " "denotes the UTC time zone. Other time zones are not currently supported and " "will result in \"access-denied\" when users attempt to log in. Please see " "the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " "must be set for this feature to work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1450 msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1454 sssd-ipa.5.xml:364 msgid "" "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " "pwd_expire_policy_renew: </emphasis> These options are useful if users are " "interested in being warned that password is about to expire and " "authentication is based on using a different method than passwords - for " "example SSH keys." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1464 sssd-ipa.5.xml:374 msgid "" "The difference between these options is the action taken if user password is " "expired:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ldap.5.xml:1469 sssd-ipa.5.xml:379 msgid "pwd_expire_policy_reject - user is denied to log in," msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ldap.5.xml:1475 sssd-ipa.5.xml:385 msgid "pwd_expire_policy_warn - user is still able to log in," msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ldap.5.xml:1481 sssd-ipa.5.xml:391 msgid "" "pwd_expire_policy_renew - user is prompted to change their password " "immediately." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1489 msgid "" "Please note that 'access_provider = ldap' must be set for this feature to " "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1494 msgid "" "<emphasis>authorized_service</emphasis>: use the authorizedService attribute " "to determine access" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1499 msgid "<emphasis>host</emphasis>: use the host attribute to determine access" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1503 msgid "" "<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " "remote host can access" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1507 msgid "" "Please note, rhost field in pam is set by application, it is better to check " "what the application sends to pam, before enabling this access control option" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1512 msgid "Default: filter" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1515 msgid "" "Please note that it is a configuration error if a value is used more than " "once." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1522 msgid "ldap_pwdlockout_dn (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1525 msgid "" "This option specifies the DN of password policy entry on LDAP server. Please " "note that absence of this option in sssd.conf in case of enabled account " "lockout checking will yield access denied as ppolicy attributes on LDAP " "server cannot be checked properly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1533 msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1536 msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1542 msgid "ldap_deref (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1545 msgid "" "Specifies how alias dereferencing is done when performing a search. The " "following options are allowed:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1550 msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1554 msgid "" "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " "the base object, but not in locating the base object of the search." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1559 msgid "" "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " "the base object of the search." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1564 msgid "" "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " "in locating the base object of the search." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1569 msgid "" "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " "client libraries)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1577 msgid "ldap_rfc2307_fallback_to_local_users (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1580 msgid "" "Allows to retain local users as members of an LDAP group for servers that " "use the RFC2307 schema." msgstr "" "Umožňuje držet místní uživatele coby členy LDAP skupiny pro servery, které " "používají schéma dle normy RFC2307." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1584 msgid "" "In some environments where the RFC2307 schema is used, local users are made " "members of LDAP groups by adding their names to the memberUid attribute. " "The self-consistency of the domain is compromised when this is done, so SSSD " "would normally remove the \"missing\" users from the cached group " "memberships as soon as nsswitch tries to fetch information about the user " "via getpw*() or initgroups() calls." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1595 msgid "" "This option falls back to checking if local users are referenced, and caches " "them so that later initgroups() calls will augment the local users with the " "additional LDAP groups." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1607 sssd-ifp.5.xml:152 msgid "wildcard_limit (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1610 msgid "" "Specifies an upper limit on the number of entries that are downloaded during " "a wildcard lookup." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1614 msgid "At the moment, only the InfoPipe responder supports wildcard lookups." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1618 msgid "Default: 1000 (often the size of one page)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1624 #, fuzzy #| msgid "ldap_idmap_range_size (integer)" msgid "ldap_library_debug_level (integer)" msgstr "ldap_idmap_range_size (celé číslo)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1627 msgid "" "Switches on libldap debugging with the given level. The libldap debug " "messages will be written independent of the general debug_level." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1632 msgid "" "OpenLDAP uses a bitmap to enable debugging for specific components, -1 will " "enable full debug output." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1637 msgid "Default: 0 (libldap debugging disabled)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ldap.5.xml:52 msgid "" "All of the common configuration options that apply to SSSD domains also " "apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " "of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry> manual page for full details. Note that SSSD " "LDAP mapping attributes are described in the <citerefentry> " "<refentrytitle>sssd-ldap-attributes</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry> manual page. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap.5.xml:1647 msgid "SUDO OPTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ldap.5.xml:1649 msgid "" "The detailed instructions for configuration of sudo_provider are in the " "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1660 msgid "ldap_sudo_full_refresh_interval (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1663 msgid "" "How many seconds SSSD will wait between executing a full refresh of sudo " "rules (which downloads all rules that are stored on the server)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1668 msgid "" "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval </" "emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1673 msgid "" "You can disable full refresh by setting this option to 0. However, either " "smart or full refresh must be enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1678 msgid "Default: 21600 (6 hours)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1684 msgid "ldap_sudo_smart_refresh_interval (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1687 msgid "" "How many seconds SSSD has to wait before executing a smart refresh of sudo " "rules (which downloads all rules that have USN higher than the highest " "server USN value that is currently known by SSSD)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1693 msgid "" "If USN attributes are not supported by the server, the modifyTimestamp " "attribute is used instead." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1697 msgid "" "<emphasis>Note:</emphasis> the highest USN value can be updated by three " "tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by " "enumeration of users and groups (if enabled and updated users or groups are " "found) and 3) by reconnecting to the server (by default every 15 minutes, " "see <emphasis>ldap_connection_expire_timeout</emphasis>)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1708 msgid "" "You can disable smart refresh by setting this option to 0. However, either " "smart or full refresh must be enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1719 #, fuzzy #| msgid "ldap_idmap_range_size (integer)" msgid "ldap_sudo_random_offset (integer)" msgstr "ldap_idmap_range_size (celé číslo)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1722 msgid "" "Random offset between 0 and configured value is added to smart and full " "refresh periods each time the periodic task is scheduled. The value is in " "seconds." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1728 msgid "" "Note that this random offset is also applied on the first SSSD start which " "delays the first sudo rules refresh. This prolongs the time when the sudo " "rules are not available for use." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1734 msgid "You can disable this offset by setting the value to 0." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1744 msgid "ldap_sudo_use_host_filter (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1747 msgid "" "If true, SSSD will download only rules that are applicable to this machine " "(using the IPv4 or IPv6 host/network addresses and hostnames)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1758 msgid "ldap_sudo_hostnames (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1761 msgid "" "Space separated list of hostnames or fully qualified domain names that " "should be used to filter the rules." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1766 msgid "" "If this option is empty, SSSD will try to discover the hostname and the " "fully qualified domain name automatically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1771 sssd-ldap.5.xml:1794 sssd-ldap.5.xml:1812 #: sssd-ldap.5.xml:1830 msgid "" "If <emphasis>ldap_sudo_use_host_filter</emphasis> is <emphasis>false</" "emphasis> then this option has no effect." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1776 sssd-ldap.5.xml:1799 msgid "Default: not specified" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1782 msgid "ldap_sudo_ip (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1785 msgid "" "Space separated list of IPv4 or IPv6 host/network addresses that should be " "used to filter the rules." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1790 msgid "" "If this option is empty, SSSD will try to discover the addresses " "automatically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1805 msgid "ldap_sudo_include_netgroups (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1808 msgid "" "If true then SSSD will download every rule that contains a netgroup in " "sudoHost attribute." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1823 msgid "ldap_sudo_include_regexp (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1826 msgid "" "If true then SSSD will download every rule that contains a wildcard in " "sudoHost attribute." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para> #: sssd-ldap.5.xml:1836 msgid "" "Using wildcard is an operation that is very costly to evaluate on the LDAP " "server side!" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ldap.5.xml:1848 msgid "" "This manual page only describes attribute name mapping. For detailed " "explanation of sudo related attribute semantics, see <citerefentry> " "<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> </" "citerefentry>" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap.5.xml:1858 msgid "AUTOFS OPTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ldap.5.xml:1860 msgid "" "Some of the defaults for the parameters below are dependent on the LDAP " "schema." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1866 msgid "ldap_autofs_map_master_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1869 msgid "The name of the automount master map in LDAP." msgstr "Název v LDAP hlavní mapy pro automatické připojování." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1872 msgid "Default: auto.master" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap.5.xml:1883 msgid "ADVANCED OPTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1890 msgid "ldap_netgroup_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1895 msgid "ldap_user_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1900 msgid "ldap_group_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><note> #: sssd-ldap.5.xml:1905 msgid "<note>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> #: sssd-ldap.5.xml:1907 msgid "" "If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " "against Active Directory will not be restricted and return all groups " "memberships, even with no GID mapping. It is recommended to disable this " "feature, if group names are not being displayed correctly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist> #: sssd-ldap.5.xml:1914 msgid "</note>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1916 msgid "ldap_sudo_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1921 msgid "ldap_autofs_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ldap.5.xml:1885 msgid "" "These options are supported by LDAP domains, but they should be used with " "caution. Please include them in your configuration only if you know what you " "are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder " "type=\"variablelist\" id=\"1\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap.5.xml:1936 sssd-simple.5.xml:131 sssd-ipa.5.xml:930 #: sssd-ad.5.xml:1391 sssd-krb5.5.xml:483 sss_rpcidmapd.5.xml:98 #: sssd-files.5.xml:155 sssd-session-recording.5.xml:176 msgid "EXAMPLE" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ldap.5.xml:1938 msgid "" "The following example assumes that SSSD is correctly configured and LDAP is " "set to one of the domains in the <replaceable>[domains]</replaceable> " "section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-ldap.5.xml:1944 #, no-wrap msgid "" "[domain/LDAP]\n" "id_provider = ldap\n" "auth_provider = ldap\n" "ldap_uri = ldap://ldap.mydomain.org\n" "ldap_search_base = dc=mydomain,dc=org\n" "ldap_tls_reqcert = demand\n" "cache_credentials = true\n" msgstr "" #. type: Content of: <refsect1><refsect2><para> #: sssd-ldap.5.xml:1943 sssd-ldap.5.xml:1961 sssd-simple.5.xml:139 #: sssd-ipa.5.xml:938 sssd-ad.5.xml:1399 sssd-sudo.5.xml:56 sssd-krb5.5.xml:492 #: sssd-files.5.xml:162 sssd-files.5.xml:173 sssd-session-recording.5.xml:182 #: include/ldap_id_mapping.xml:105 msgid "<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap.5.xml:1955 msgid "LDAP ACCESS FILTER EXAMPLE" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ldap.5.xml:1957 msgid "" "The following example assumes that SSSD is correctly configured and to use " "the ldap_access_order=lockout." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-ldap.5.xml:1962 #, no-wrap msgid "" "[domain/LDAP]\n" "id_provider = ldap\n" "auth_provider = ldap\n" "access_provider = ldap\n" "ldap_access_order = lockout\n" "ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" "ldap_uri = ldap://ldap.mydomain.org\n" "ldap_search_base = dc=mydomain,dc=org\n" "ldap_tls_reqcert = demand\n" "cache_credentials = true\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap.5.xml:1977 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148 #: sssd-ad.5.xml:1414 sssd.8.xml:238 sss_seed.8.xml:163 msgid "NOTES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ldap.5.xml:1979 msgid "" "The descriptions of some of the configuration options in this manual page " "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " "distribution." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: pam_sss.8.xml:11 pam_sss.8.xml:16 msgid "pam_sss" msgstr "" #. type: Content of: <reference><refentry><refmeta><manvolnum> #: pam_sss.8.xml:12 pam_sss_gss.8.xml:12 sssd_krb5_locator_plugin.8.xml:11 #: sssd.8.xml:11 sss_obfuscate.8.xml:11 sss_override.8.xml:11 #: sss_cache.8.xml:11 sss_debuglevel.8.xml:11 sss_seed.8.xml:11 #: idmap_sss.8.xml:11 sssctl.8.xml:11 sssd-kcm.8.xml:11 #: sssd_krb5_localauth_plugin.8.xml:11 msgid "8" msgstr "8" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: pam_sss.8.xml:17 msgid "PAM module for SSSD" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> #: pam_sss.8.xml:22 msgid "" "<command>pam_sss.so</command> <arg choice='opt'> <replaceable>quiet</" "replaceable> </arg> <arg choice='opt'> <replaceable>forward_pass</" "replaceable> </arg> <arg choice='opt'> <replaceable>use_first_pass</" "replaceable> </arg> <arg choice='opt'> <replaceable>use_authtok</" "replaceable> </arg> <arg choice='opt'> <replaceable>retry=N</replaceable> </" "arg> <arg choice='opt'> <replaceable>ignore_unknown_user</replaceable> </" "arg> <arg choice='opt'> <replaceable>ignore_authinfo_unavail</replaceable> </" "arg> <arg choice='opt'> <replaceable>domains=X</replaceable> </arg> <arg " "choice='opt'> <replaceable>allow_missing_name</replaceable> </arg> <arg " "choice='opt'> <replaceable>prompt_always</replaceable> </arg> <arg " "choice='opt'> <replaceable>try_cert_auth</replaceable> </arg> <arg " "choice='opt'> <replaceable>require_cert_auth</replaceable> </arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss.8.xml:64 msgid "" "<command>pam_sss.so</command> is the PAM interface to the System Security " "Services daemon (SSSD). Errors and results are logged through " "<command>syslog(3)</command> with the LOG_AUTHPRIV facility." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: pam_sss.8.xml:70 pam_sss_gss.8.xml:89 sssd.8.xml:42 sss_obfuscate.8.xml:58 #: sss_cache.8.xml:39 sss_seed.8.xml:42 sss_ssh_authorizedkeys.1.xml:123 #: sss_ssh_knownhostsproxy.1.xml:62 msgid "OPTIONS" msgstr "VOLBY" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:74 msgid "<option>quiet</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:77 msgid "Suppress log messages for unknown users." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:82 msgid "<option>forward_pass</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:85 msgid "" "If <option>forward_pass</option> is set the entered password is put on the " "stack for other PAM modules to use." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:92 msgid "<option>use_first_pass</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:95 msgid "" "The argument use_first_pass forces the module to use a previous stacked " "modules password and will never prompt the user - if no password is " "available or the password is not appropriate, the user will be denied access." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:103 msgid "<option>use_authtok</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:106 msgid "" "When password changing enforce the module to set the new password to the one " "provided by a previously stacked password module." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:113 msgid "<option>retry=N</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:116 msgid "" "If specified the user is asked another N times for a password if " "authentication fails. Default is 0." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:118 msgid "" "Please note that this option might not work as expected if the application " "calling PAM handles the user dialog on its own. A typical example is " "<command>sshd</command> with <option>PasswordAuthentication</option>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:127 msgid "<option>ignore_unknown_user</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:130 msgid "" "If this option is specified and the user does not exist, the PAM module will " "return PAM_IGNORE. This causes the PAM framework to ignore this module." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:137 msgid "<option>ignore_authinfo_unavail</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:141 msgid "" "Specifies that the PAM module should return PAM_IGNORE if it cannot contact " "the SSSD daemon. This causes the PAM framework to ignore this module." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:148 msgid "<option>domains</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:152 msgid "" "Allows the administrator to restrict the domains a particular PAM service is " "allowed to authenticate against. The format is a comma-separated list of " "SSSD domain names, as specified in the sssd.conf file." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:158 msgid "" "NOTE: If this is used for a service not running as root user, e.g. a web-" "server, it must be used in conjunction with the <quote>pam_trusted_users</" "quote> and <quote>pam_public_domains</quote> options. Please see the " "<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry> manual page for more information on these two PAM " "responder options." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:173 msgid "<option>allow_missing_name</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:177 msgid "" "The main purpose of this option is to let SSSD determine the user name based " "on additional information, e.g. the certificate from a Smartcard." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> #: pam_sss.8.xml:187 #, no-wrap msgid "" "auth sufficient pam_sss.so allow_missing_name\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:182 msgid "" "The current use case are login managers which can monitor a Smartcard reader " "for card events. In case a Smartcard is inserted the login manager will call " "a PAM stack which includes a line like <placeholder type=\"programlisting\" " "id=\"0\"/> In this case SSSD will try to determine the user name based on " "the content of the Smartcard, returns it to pam_sss which will finally put " "it on the PAM stack." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:197 msgid "<option>prompt_always</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:201 msgid "" "Always prompt the user for credentials. With this option credentials " "requested by other PAM modules, typically a password, will be ignored and " "pam_sss will prompt for credentials again. Based on the pre-auth reply by " "SSSD pam_sss might prompt for a password, a Smartcard PIN or other " "credentials." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:212 msgid "<option>try_cert_auth</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:216 msgid "" "Try to use certificate based authentication, i.e. authentication with a " "Smartcard or similar devices. If a Smartcard is available and the service is " "allowed for Smartcard authentication the user will be prompted for a PIN and " "the certificate based authentication will continue" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:224 msgid "" "If no Smartcard is available or certificate based authentication is not " "allowed for the current service PAM_AUTHINFO_UNAVAIL is returned." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:232 msgid "<option>require_cert_auth</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:236 msgid "" "Do certificate based authentication, i.e. authentication with a Smartcard " "or similar devices. If a Smartcard is not available the user will be " "prompted to insert one. SSSD will wait for a Smartcard until the timeout " "defined by p11_wait_for_card_timeout passed, please see " "<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" "manvolnum></citerefentry> for details." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:246 msgid "" "If no Smartcard is available after the timeout or certificate based " "authentication is not allowed for the current service PAM_AUTHINFO_UNAVAIL " "is returned." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: pam_sss.8.xml:256 pam_sss_gss.8.xml:103 msgid "MODULE TYPES PROVIDED" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss.8.xml:257 msgid "" "All module types (<option>account</option>, <option>auth</option>, " "<option>password</option> and <option>session</option>) are provided." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss.8.xml:260 msgid "" "If SSSD's PAM responder is not running, e.g. if the PAM responder socket is " "not available, pam_sss will return PAM_USER_UNKNOWN when called as " "<option>account</option> module to avoid issues with users from other " "sources during access control." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: pam_sss.8.xml:267 pam_sss_gss.8.xml:108 msgid "RETURN VALUES" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:270 pam_sss_gss.8.xml:111 msgid "PAM_SUCCESS" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:273 pam_sss_gss.8.xml:114 msgid "The PAM operation finished successfully." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:278 pam_sss_gss.8.xml:119 msgid "PAM_USER_UNKNOWN" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:281 msgid "" "The user is not known to the authentication service or the SSSD's PAM " "responder is not running." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:287 pam_sss_gss.8.xml:128 msgid "PAM_AUTH_ERR" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:290 msgid "" "Authentication failure. Also, could be returned when there is a problem with " "getting the certificate." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:296 msgid "PAM_PERM_DENIED" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:299 msgid "" "Permission denied. The SSSD log files may contain additional information " "about the error." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:305 msgid "PAM_IGNORE" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:308 msgid "" "See options <option>ignore_unknown_user</option> and " "<option>ignore_authinfo_unavail</option>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:314 msgid "PAM_AUTHTOK_ERR" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:317 msgid "" "Unable to obtain the new authentication token. Also, could be returned when " "the user authenticates with certificates and multiple certificates are " "available, but the installed version of GDM does not support selection from " "multiple certificates." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:325 pam_sss_gss.8.xml:136 msgid "PAM_AUTHINFO_UNAVAIL" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:328 pam_sss_gss.8.xml:139 msgid "" "Unable to access the authentication information. This might be due to a " "network or hardware failure." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:334 msgid "PAM_BUF_ERR" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:337 msgid "" "A memory error occurred. Also, could be returned when options use_first_pass " "or use_authtok were set, but no password was found from the previously " "stacked PAM module." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:344 pam_sss_gss.8.xml:145 msgid "PAM_SYSTEM_ERR" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:347 pam_sss_gss.8.xml:148 msgid "" "A system error occurred. The SSSD log files may contain additional " "information about the error." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:353 msgid "PAM_CRED_ERR" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:356 msgid "Unable to set the credentials of the user." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:361 msgid "PAM_CRED_INSUFFICIENT" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:364 msgid "" "The application does not have sufficient credentials to authenticate the " "user. For example, missing PIN during smartcard authentication or missing " "factor during two-factor authentication." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:372 msgid "PAM_SERVICE_ERR" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:375 msgid "Error in service module." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:380 msgid "PAM_NEW_AUTHTOK_REQD" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:383 msgid "The user's authentication token has expired." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:388 msgid "PAM_ACCT_EXPIRED" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:391 msgid "The user account has expired." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:396 msgid "PAM_SESSION_ERR" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:399 msgid "Unable to fetch IPA Desktop Profile rules or user info." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:404 msgid "PAM_CRED_UNAVAIL" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:407 msgid "Unable to retrieve Kerberos user credentials." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:412 msgid "PAM_NO_MODULE_DATA" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:415 msgid "" "No authentication method was found by Kerberos. This might happen if the " "user has a Smartcard assigned but the pkint plugin is not available on the " "client." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:422 msgid "PAM_CONV_ERR" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:425 msgid "Conversation failure." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:430 msgid "PAM_AUTHTOK_LOCK_BUSY" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:433 msgid "No KDC suitable for password change is available." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:438 msgid "PAM_ABORT" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:441 msgid "Unknown PAM call." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:446 msgid "PAM_MODULE_UNKNOWN" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:449 msgid "Unsupported PAM task or command." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:454 msgid "PAM_BAD_ITEM" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:457 msgid "The authentication module cannot handle Smartcard credentials." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: pam_sss.8.xml:465 msgid "FILES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss.8.xml:466 msgid "" "If a password reset by root fails, because the corresponding SSSD provider " "does not support password resets, an individual message can be displayed. " "This message can e.g. contain instructions about how to reset a password." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss.8.xml:471 msgid "" "The message is read from the file <filename>pam_sss_pw_reset_message.LOC</" "filename> where LOC stands for a locale string returned by <citerefentry> " "<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> </" "citerefentry>. If there is no matching file the content of " "<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " "the owner of the files and only root may have read and write permissions " "while all other users must have only read permissions." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss.8.xml:481 msgid "" "These files are searched in the directory <filename>/etc/sssd/customize/" "DOMAIN_NAME/</filename>. If no matching file is present a generic message is " "displayed." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: pam_sss_gss.8.xml:11 pam_sss_gss.8.xml:16 msgid "pam_sss_gss" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: pam_sss_gss.8.xml:17 msgid "PAM module for SSSD GSSAPI authentication" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> #: pam_sss_gss.8.xml:22 #, fuzzy #| msgid "" #| "<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" #| "replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" #| "arg>" msgid "" "<command>pam_sss_gss.so</command> <arg choice='opt'> <replaceable>debug</" "replaceable> </arg>" msgstr "" "<command>sss_groupdel</command> <arg choice='opt'> <replaceable>volby</" "replaceable> </arg> <arg choice='plain'><replaceable>SKUPINA</replaceable></" "arg>" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss_gss.8.xml:32 msgid "" "<command>pam_sss_gss.so</command> authenticates user over GSSAPI in " "cooperation with SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss_gss.8.xml:36 msgid "" "This module will try to authenticate the user using the GSSAPI hostbased " "service name host@hostname which translates to host/hostname@REALM Kerberos " "principal. The <emphasis>REALM</emphasis> part of the Kerberos principal " "name is derived by Kerberos internal mechanisms and it can be set explicitly " "in configuration of [domain_realm] section in /etc/krb5.conf." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss_gss.8.xml:44 msgid "" "SSSD is used to provide desired service name and to validate the user's " "credentials using GSSAPI calls. If the service ticket is already present in " "the Kerberos credentials cache or if user's ticket granting ticket can be " "used to get the correct service ticket then the user will be authenticated." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss_gss.8.xml:51 msgid "" "If <option>pam_gssapi_check_upn</option> is True (default) then SSSD " "requires that the credentials used to obtain the service tickets can be " "associated with the user. This means that the principal that owns the " "Kerberos credentials must match with the user principal name as defined in " "LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss_gss.8.xml:58 msgid "" "To enable GSSAPI authentication in SSSD, set <option>pam_gssapi_services</" "option> option in [pam] or domain section of sssd.conf. The service " "credentials need to be stored in SSSD's keytab (it is already present if you " "use ipa or ad provider). The keytab location can be set with " "<option>krb5_keytab</option> option. See <citerefentry> <refentrytitle>sssd." "conf</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> and " "<citerefentry> <refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry> for more details on these options." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss_gss.8.xml:74 msgid "" "Some Kerberos deployments allow to associate authentication indicators with " "a particular pre-authentication method used to obtain the ticket granting " "ticket by the user. <command>pam_sss_gss.so</command> allows to enforce " "presence of authentication indicators in the service tickets before a " "particular PAM service can be accessed." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss_gss.8.xml:82 msgid "" "If <option>pam_gssapi_indicators_map</option> is set in the [pam] or domain " "section of sssd.conf, then SSSD will perform a check of the presence of any " "configured indicators in the service ticket." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss_gss.8.xml:93 msgid "<option>debug</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss_gss.8.xml:96 msgid "Print debugging information." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss_gss.8.xml:104 msgid "Only the <option>auth</option> module type is provided." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss_gss.8.xml:122 msgid "" "The user is not known to the authentication service or the GSSAPI " "authentication is not supported." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss_gss.8.xml:131 msgid "Authentication failure." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss_gss.8.xml:159 msgid "" "The main use case is to provide password-less authentication in sudo but " "without the need to disable authentication completely. To achieve this, " "first enable GSSAPI authentication for sudo in sssd.conf:" msgstr "" #. type: Content of: <reference><refentry><refsect1><programlisting> #: pam_sss_gss.8.xml:165 #, no-wrap msgid "" "[domain/MYDOMAIN]\n" "pam_gssapi_services = sudo, sudo-i\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss_gss.8.xml:169 msgid "" "And then enable the module in desired PAM stack (e.g. /etc/pam.d/sudo and /" "etc/pam.d/sudo-i)." msgstr "" #. type: Content of: <reference><refentry><refsect1><programlisting> #: pam_sss_gss.8.xml:173 #, no-wrap msgid "" "...\n" "auth sufficient pam_sss_gss.so\n" "...\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: pam_sss_gss.8.xml:180 msgid "TROUBLESHOOTING" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss_gss.8.xml:182 msgid "" "SSSD logs, pam_sss_gss debug output and syslog may contain helpful " "information about the error. Here are some common issues:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss_gss.8.xml:186 msgid "" "1. I have KRB5CCNAME environment variable set and the authentication does " "not work: Depending on your sudo version, it is possible that sudo does not " "pass this variable to the PAM environment. Try adding KRB5CCNAME to " "<option>env_keep</option> in /etc/sudoers or in your LDAP sudo rules default " "options." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss_gss.8.xml:193 msgid "" "2. Authentication does not work and syslog contains \"Server not found in " "Kerberos database\": Kerberos is probably not able to resolve correct realm " "for the service ticket based on the hostname. Try adding the hostname " "directly to <option>[domain_realm]</option> in /etc/krb5.conf like so:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss_gss.8.xml:200 msgid "" "3. Authentication does not work and syslog contains \"No Kerberos " "credentials available\": You don't have any credentials that can be used to " "obtain the required service ticket. Use kinit or authenticate over SSSD to " "acquire those credentials." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss_gss.8.xml:206 msgid "" "4. Authentication does not work and SSSD sssd-pam log contains \"User with " "UPN [$UPN] was not found.\" or \"UPN [$UPN] does not match target user " "[$username].\": You are using credentials that can not be mapped to the user " "that is being authenticated. Try to use kswitch to select different " "principal, make sure you authenticated with SSSD or consider disabling " "<option>pam_gssapi_check_upn</option>." msgstr "" #. type: Content of: <reference><refentry><refsect1><programlisting> #: pam_sss_gss.8.xml:214 #, no-wrap msgid "" "[domain_realm]\n" ".myhostname = MYREALM\n" " " msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 msgid "sssd_krb5_locator_plugin" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sssd_krb5_locator_plugin.8.xml:16 msgid "Kerberos locator plugin" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd_krb5_locator_plugin.8.xml:22 msgid "" "The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " "used by libkrb5 to find KDCs for a given Kerberos realm. SSSD provides such " "a plugin to guide all Kerberos clients on a system to a single KDC. In " "general it should not matter to which KDC a client process is talking to. " "But there are cases, e.g. after a password change, where not all KDCs are in " "the same state because the new data has to be replicated first. To avoid " "unexpected authentication failures and maybe even account lockings it would " "be good to talk to a single KDC as long as possible." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd_krb5_locator_plugin.8.xml:34 msgid "" "libkrb5 will search the locator plugin in the libkrb5 sub-directory of the " "Kerberos plugin directory, see plugin_base_dir in <citerefentry> " "<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> </" "citerefentry> for details. The plugin can only be disabled by removing the " "plugin file. There is no option in the Kerberos configuration to disable it. " "But the SSSD_KRB5_LOCATOR_DISABLE environment variable can be used to " "disable the plugin for individual commands. Alternatively the SSSD option " "krb5_use_kdcinfo=False can be used to not generate the data needed by the " "plugin. With this the plugin is still called but will provide no data to the " "caller so that libkrb5 can fall back to other methods defined in krb5.conf." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd_krb5_locator_plugin.8.xml:50 msgid "" "The plugin reads the information about the KDCs of a given realm from a file " "called <filename>kdcinfo.REALM</filename>. The file should contain one or " "more DNS names or IP addresses either in dotted-decimal IPv4 notation or the " "hexadecimal IPv6 notation. An optional port number can be added to the end " "separated with a colon, the IPv6 address has to be enclosed in squared " "brackets in this case as usual. Valid entries are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd_krb5_locator_plugin.8.xml:58 msgid "kdc.example.com" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd_krb5_locator_plugin.8.xml:59 msgid "kdc.example.com:321" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd_krb5_locator_plugin.8.xml:60 msgid "1.2.3.4" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd_krb5_locator_plugin.8.xml:61 msgid "5.6.7.8:99" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd_krb5_locator_plugin.8.xml:62 msgid "2001:db8:85a3::8a2e:370:7334" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd_krb5_locator_plugin.8.xml:63 msgid "[2001:db8:85a3::8a2e:370:7334]:321" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd_krb5_locator_plugin.8.xml:65 msgid "" "SSSD's krb5 auth-provider which is used by the IPA and AD providers as well " "adds the address of the current KDC or domain controller SSSD is using to " "this file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd_krb5_locator_plugin.8.xml:70 msgid "" "In environments with read-only and read-write KDCs where clients are " "expected to use the read-only instances for the general operations and only " "the read-write KDC for config changes like password changes a " "<filename>kpasswdinfo.REALM</filename> is used as well to identify read-" "write KDCs. If this file exists for the given realm the content will be used " "by the plugin to reply to requests for a kpasswd or kadmin server or for the " "MIT Kerberos specific master KDC. If the address contains a port number the " "default KDC port 88 will be used for the latter." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd_krb5_locator_plugin.8.xml:85 msgid "" "Not all Kerberos implementations support the use of plugins. If " "<command>sssd_krb5_locator_plugin</command> is not available on your system " "you have to edit /etc/krb5.conf to reflect your Kerberos setup." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd_krb5_locator_plugin.8.xml:91 msgid "" "If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " "debug messages will be sent to stderr." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd_krb5_locator_plugin.8.xml:95 msgid "" "If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " "the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " "caller." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd_krb5_locator_plugin.8.xml:100 msgid "" "If the environment variable SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES is set to " "any value plugin will try to resolve all DNS names in kdcinfo file. By " "default plugin returns KRB5_PLUGIN_NO_HANDLE to the caller immediately on " "first DNS resolving failure." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssd-simple.5.xml:10 sssd-simple.5.xml:16 msgid "sssd-simple" msgstr "sssd-simple" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sssd-simple.5.xml:17 msgid "the configuration file for SSSD's 'simple' access-control provider" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-simple.5.xml:24 msgid "" "This manual page describes the configuration of the simple access-control " "provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " "<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " "refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" "citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-simple.5.xml:38 msgid "" "The simple access provider grants or denies access based on an access or " "deny list of user or group names. The following rules apply:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd-simple.5.xml:43 msgid "If all lists are empty, access is granted" msgstr "Pokud jsou všechny seznamy prázdné, přístup je udělen" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd-simple.5.xml:47 msgid "" "If any list is provided, the order of evaluation is allow,deny. This means " "that any matching deny rule will supersede any matched allow rule." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd-simple.5.xml:54 msgid "" "If either or both \"allow\" lists are provided, all users are denied unless " "they appear in the list." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd-simple.5.xml:60 msgid "" "If only \"deny\" lists are provided, all users are granted access unless " "they appear in the list." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-simple.5.xml:78 msgid "simple_allow_users (string)" msgstr "simple_allow_users (řetězec)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-simple.5.xml:81 msgid "Comma separated list of users who are allowed to log in." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-simple.5.xml:88 msgid "simple_deny_users (string)" msgstr "simple_deny_users (řetězec)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-simple.5.xml:91 msgid "Comma separated list of users who are explicitly denied access." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-simple.5.xml:97 msgid "simple_allow_groups (string)" msgstr "simple_allow_groups (řetězec)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-simple.5.xml:100 msgid "" "Comma separated list of groups that are allowed to log in. This applies only " "to groups within this SSSD domain. Local groups are not evaluated." msgstr "" "Čárkou oddělovaný seznam skupin, kterým je dovoleno se přihlásit. Toto se " "uplatní pouze na skupiny v rámci SSSD domény. Místní skupiny nejsou takto " "vyhodnocovány." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-simple.5.xml:108 msgid "simple_deny_groups (string)" msgstr "simple_deny_groups (řetězec)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-simple.5.xml:111 msgid "" "Comma separated list of groups that are explicitly denied access. This " "applies only to groups within this SSSD domain. Local groups are not " "evaluated." msgstr "" "Čárkou oddělovaný seznam skupin, kterým je výslovně odepřen přístup. Toto se " "uplatní pouze na skupiny v rámci SSSD domény. Místní skupiny nejsou takto " "vyhodnocovány." #. type: Content of: <reference><refentry><refsect1><para> #: sssd-simple.5.xml:70 sssd-ipa.5.xml:83 sssd-ad.5.xml:131 msgid "" "Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> </" "citerefentry> manual page for details on the configuration of an SSSD " "domain. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-simple.5.xml:120 msgid "" "Specifying no values for any of the lists is equivalent to skipping it " "entirely. Beware of this while generating parameters for the simple provider " "using automated scripts." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-simple.5.xml:125 msgid "" "Please note that it is an configuration error if both, simple_allow_users " "and simple_deny_users, are defined." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-simple.5.xml:133 msgid "" "The following example assumes that SSSD is correctly configured and example." "com is one of the domains in the <replaceable>[sssd]</replaceable> section. " "This examples shows only the simple access provider-specific options." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-simple.5.xml:140 #, no-wrap msgid "" "[domain/example.com]\n" "access_provider = simple\n" "simple_allow_users = user1, user2\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-simple.5.xml:150 msgid "" "The complete group membership hierarchy is resolved before the access check, " "thus even nested groups can be included in the access lists. Please be " "aware that the <quote>ldap_group_nesting_level</quote> option may impact the " "results and should be set to a sufficient value. (<citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" "citerefentry>) option." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sss-certmap.5.xml:10 sss-certmap.5.xml:16 msgid "sss-certmap" msgstr "sss-certmap" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sss-certmap.5.xml:17 msgid "SSSD Certificate Matching and Mapping Rules" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss-certmap.5.xml:23 msgid "" "The manual page describes the rules which can be used by SSSD and other " "components to match X.509 certificates and map them to accounts." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss-certmap.5.xml:28 msgid "" "Each rule has four components, a <quote>priority</quote>, a <quote>matching " "rule</quote>, a <quote>mapping rule</quote> and a <quote>domain list</" "quote>. All components are optional. A missing <quote>priority</quote> will " "add the rule with the lowest priority. The default <quote>matching rule</" "quote> will match certificates with the digitalSignature key usage and " "clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " "the certificates will be searched in the userCertificate attribute as DER " "encoded binary. If no domains are given only the local domain will be " "searched." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss-certmap.5.xml:39 msgid "" "To allow extensions or completely different style of rule the " "<quote>mapping</quote> and <quote>matching rules</quote> can contain a " "prefix separated with a ':' from the main part of the rule. The prefix may " "only contain upper-case ASCII letters and numbers. If the prefix is omitted " "the default type will be used which is 'KRB5' for the matching rules and " "'LDAP' for the mapping rules." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss-certmap.5.xml:48 msgid "" "The 'sssctl' utility provides the 'cert-eval-rule' command to check if a " "given certificate matches a matching rules and how the output of a mapping " "rule would look like." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sss-certmap.5.xml:55 msgid "RULE COMPONENTS" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sss-certmap.5.xml:57 msgid "PRIORITY" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss-certmap.5.xml:59 msgid "" "The rules are processed by priority while the number '0' (zero) indicates " "the highest priority. The higher the number the lower is the priority. A " "missing value indicates the lowest priority. The rules processing is stopped " "when a matched rule is found and no further rules are checked." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss-certmap.5.xml:66 msgid "" "Internally the priority is treated as unsigned 32bit integer, using a " "priority value larger than 4294967295 will cause an error." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss-certmap.5.xml:70 msgid "" "If multiple rules have the same priority and only one of the related " "matching rules applies, this rule will be chosen. If there are multiple " "rules with the same priority which matches, one is chosen but which one is " "undefined. To avoid this undefined behavior either use different priorities " "or make the matching rules more specific e.g. by using distinct <" "ISSUER> patterns." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sss-certmap.5.xml:79 msgid "MATCHING RULE" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss-certmap.5.xml:81 msgid "" "The matching rule is used to select a certificate to which the mapping rule " "should be applied. It uses a system similar to the one used by " "<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " "keyword enclosed by '<' and '>' which identified a certain part of the " "certificate and a pattern which should be found for the rule to match. " "Multiple keyword pattern pairs can be either joined with '&&' (and) " "or '||' (or)." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss-certmap.5.xml:90 msgid "" "Given the similarity to MIT Kerberos the type prefix for this rule is " "'KRB5'. But 'KRB5' will also be the default for <quote>matching rules</" "quote> so that \"<SUBJECT>.*,DC=MY,DC=DOMAIN\" and \"KRB5:<" "SUBJECT>.*,DC=MY,DC=DOMAIN\" are equivalent." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:99 msgid "<SUBJECT>regular-expression" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:102 msgid "" "With this a part or the whole subject name of the certificate can be " "matched. For the matching POSIX Extended Regular Expression syntax is used, " "see regex(7) for details." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:108 msgid "" "For the matching the subject name stored in the certificate in DER encoded " "ASN.1 is converted into a string according to RFC 4514. This means the most " "specific name component comes first. Please note that not all possible " "attribute names are covered by RFC 4514. The names included are 'CN', 'L', " "'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " "be shown differently on different platform and by different tools. To avoid " "confusion those attribute names are best not used or covered by a suitable " "regular-expression." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:121 msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" msgstr "Příklad: <SUBJECT>.*,DC=MOJE,DC=DOMENA" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:124 msgid "" "Please note that the characters \"^.[$()|*+?{\\\" have a special meaning in " "regular expressions and must be escaped with the help of the '\\' character " "so that they are matched as ordinary characters." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:130 msgid "Example: <SUBJECT>^CN=.* \$Admin\$,DC=MY,DC=DOMAIN$" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:135 msgid "<ISSUER>regular-expression" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:138 msgid "" "With this a part or the whole issuer name of the certificate can be matched. " "All comments for <SUBJECT> apply her as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:143 msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:148 msgid "<KU>key-usage" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:151 msgid "" "This option can be used to specify which key usage values the certificate " "should have. The following values can be used in a comma separated list:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:155 msgid "digitalSignature" msgstr "digitalSignature" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:156 msgid "nonRepudiation" msgstr "nonRepudiation" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:157 msgid "keyEncipherment" msgstr "keyEncipherment" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:158 msgid "dataEncipherment" msgstr "dataEncipherment" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:159 msgid "keyAgreement" msgstr "keyAgreement" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:160 msgid "keyCertSign" msgstr "keyCertSign" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:161 msgid "cRLSign" msgstr "cRLSign" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:162 msgid "encipherOnly" msgstr "encipherOnly" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:163 msgid "decipherOnly" msgstr "decipherOnly" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:167 msgid "" "A numerical value in the range of a 32bit unsigned integer can be used as " "well to cover special use cases." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:171 msgid "Example: <KU>digitalSignature,keyEncipherment" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:176 msgid "<EKU>extended-key-usage" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:179 msgid "" "This option can be used to specify which extended key usage the certificate " "should have. The following value can be used in a comma separated list:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:183 msgid "serverAuth" msgstr "serverAuth" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:184 msgid "clientAuth" msgstr "clientAuth" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:185 msgid "codeSigning" msgstr "codeSigning" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:186 msgid "emailProtection" msgstr "emailProtection" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:187 msgid "timeStamping" msgstr "timeStamping" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:188 msgid "OCSPSigning" msgstr "OCSPSigning" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:189 msgid "KPClientAuth" msgstr "KPClientAuth" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:190 msgid "pkinit" msgstr "pkinit" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:191 msgid "msScLogin" msgstr "msScLogin" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:195 msgid "" "Extended key usages which are not listed above can be specified with their " "OID in dotted-decimal notation." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:199 msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:204 msgid "<SAN>regular-expression" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:207 msgid "" "To be compatible with the usage of MIT Kerberos this option will match the " "Kerberos principals in the PKINIT or AD NT Principal SAN as <SAN:" "Principal> does." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:212 msgid "Example: <SAN>.*@MY\\.REALM" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:217 msgid "<SAN:Principal>regular-expression" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:220 msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:224 msgid "Example: <SAN:Principal>.*@MY\\.REALM" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:229 msgid "<SAN:ntPrincipalName>regular-expression" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:232 msgid "Match the Kerberos principals from the AD NT Principal SAN." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:236 msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:241 msgid "<SAN:pkinit>regular-expression" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:244 msgid "Match the Kerberos principals from the PKINIT SAN." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:247 msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:252 msgid "<SAN:dotted-decimal-oid>regular-expression" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:255 msgid "" "Take the value of the otherName SAN component given by the OID in dotted-" "decimal notation, interpret it as string and try to match it against the " "regular expression." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:261 msgid "Example: <SAN:1.2.3.4>test" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:266 msgid "<SAN:otherName>base64-string" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:269 msgid "" "Do a binary match with the base64 encoded blob against all otherName SAN " "components. With this option it is possible to match against custom " "otherName components with special encodings which could not be treated as " "strings." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:276 msgid "Example: <SAN:otherName>MTIz" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:281 msgid "<SAN:rfc822Name>regular-expression" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:284 msgid "Match the value of the rfc822Name SAN." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:287 msgid "Example: <SAN:rfc822Name>.*@email\\.domain" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:292 msgid "<SAN:dNSName>regular-expression" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:295 msgid "Match the value of the dNSName SAN." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:298 msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:303 msgid "<SAN:x400Address>base64-string" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:306 msgid "Binary match the value of the x400Address SAN." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:309 msgid "Example: <SAN:x400Address>MTIz" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:314 msgid "<SAN:directoryName>regular-expression" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:317 msgid "" "Match the value of the directoryName SAN. The same comments as given for <" "ISSUER> and <SUBJECT> apply here as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:322 msgid "Example: <SAN:directoryName>.*,DC=com" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:327 msgid "<SAN:ediPartyName>base64-string" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:330 msgid "Binary match the value of the ediPartyName SAN." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:333 msgid "Example: <SAN:ediPartyName>MTIz" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:338 msgid "<SAN:uniformResourceIdentifier>regular-expression" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:341 msgid "Match the value of the uniformResourceIdentifier SAN." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:344 msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:349 msgid "<SAN:iPAddress>regular-expression" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:352 msgid "Match the value of the iPAddress SAN." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:355 msgid "Example: <SAN:iPAddress>192\\.168\\..*" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:360 msgid "<SAN:registeredID>regular-expression" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:363 msgid "Match the value of the registeredID SAN as dotted-decimal string." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:367 msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss-certmap.5.xml:96 msgid "" "The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sss-certmap.5.xml:375 msgid "MAPPING RULE" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss-certmap.5.xml:377 msgid "" "The mapping rule is used to associate a certificate with one or more " "accounts. A Smartcard with the certificate and the matching private key can " "then be used to authenticate as one of those accounts." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss-certmap.5.xml:382 msgid "" "Currently SSSD basically only supports LDAP to lookup user information (the " "exception is the proxy provider which is not of relevance here). Because of " "this the mapping rule is based on LDAP search filter syntax with templates " "to add certificate content to the filter. It is expected that the filter " "will only contain the specific data needed for the mapping and that the " "caller will embed it in another filter to do the actual search. Because of " "this the filter string should start and stop with '(' and ')' respectively." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss-certmap.5.xml:392 msgid "" "In general it is recommended to use attributes from the certificate and add " "them to special attributes to the LDAP user object. E.g. the " "'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " "for IPA can be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss-certmap.5.xml:398 msgid "" "This should be preferred to read user specific data from the certificate " "like e.g. an email address and search for it in the LDAP server. The reason " "is that the user specific data in LDAP might change for various reasons " "would break the mapping. On the other hand it would be hard to break the " "mapping on purpose for a specific user." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss-certmap.5.xml:406 msgid "" "The default <quote>mapping rule</quote> type is 'LDAP' which can be added as " "a prefix to a rule like e.g. 'LDAP:(userCertificate;binary={cert!bin})'. " "There is an extension called 'LDAPU1' which offer more templates for more " "flexibility. To allow older versions of this library to ignore the extension " "the prefix 'LDAPU1' must be used when using the new templates in a " "<quote>mapping rule</quote> otherwise the old version of this library will " "fail with a parsing error. The new templates are described in section <xref " "linkend=\"map_ldapu1\"/>." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:424 msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" msgstr "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:427 msgid "" "This template will add the full issuer DN converted to a string according to " "RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " "the '_x500' prefix should be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:433 sss-certmap.5.xml:459 msgid "" "The conversion options starting with 'ad_' will use attribute names as used " "by AD, e.g. 'S' instead of 'ST'." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:437 sss-certmap.5.xml:463 msgid "" "The conversion options starting with 'nss_' will use attribute names as used " "by NSS." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:441 sss-certmap.5.xml:467 msgid "" "The default conversion option is 'nss', i.e. attribute names according to " "NSS and LDAP/RFC 4514 ordering." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:445 msgid "" "Example: (ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!" "ad})" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:450 msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:453 msgid "" "This template will add the full subject DN converted to string according to " "RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " "the '_x500' prefix should be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:471 msgid "" "Example: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>" "{subject_dn!nss_x500})" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:476 msgid "{cert[!(bin|base64)]}" msgstr "{cert[!(bin|base64)]}" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:479 msgid "" "This template will add the whole DER encoded certificate as a string to the " "search filter. Depending on the conversion option the binary certificate is " "either converted to an escaped hex sequence '\\xx' or base64. The escaped " "hex sequence is the default and can e.g. be used with the LDAP attribute " "'userCertificate;binary'." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:487 msgid "Example: (userCertificate;binary={cert!bin})" msgstr "Příklad: (userCertificate;binary={cert!bin})" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:492 msgid "{subject_principal[.short_name]}" msgstr "{subject_principal[.short_name]}" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:495 msgid "" "This template will add the Kerberos principal which is taken either from the " "SAN used by pkinit or the one used by AD. The 'short_name' component " "represents the first part of the principal before the '@' sign." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:501 msgid "" "Example: (|(userPrincipal={subject_principal})" "(samAccountName={subject_principal.short_name}))" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:506 msgid "{subject_pkinit_principal[.short_name]}" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:509 msgid "" "This template will add the Kerberos principal which is given by the SAN used " "by pkinit. The 'short_name' component represents the first part of the " "principal before the '@' sign." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:515 msgid "" "Example: (|(userPrincipal={subject_pkinit_principal})" "(uid={subject_pkinit_principal.short_name}))" msgstr "" "Příklad: (|(userPrincipal={subject_pkinit_principal})" "(uid={subject_pkinit_principal.short_name}))" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:520 msgid "{subject_nt_principal[.short_name]}" msgstr "{subject_nt_principal[.short_name]}" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:523 msgid "" "This template will add the Kerberos principal which is given by the SAN used " "by AD. The 'short_name' component represent the first part of the principal " "before the '@' sign." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:529 #, fuzzy #| msgid "" #| "Example: (|(userPrincipal={subject_pkinit_principal})" #| "(uid={subject_pkinit_principal.short_name}))" msgid "" "Example: (|(userPrincipalName={subject_nt_principal})" "(samAccountName={subject_nt_principal.short_name}))" msgstr "" "Příklad: (|(userPrincipal={subject_pkinit_principal})" "(uid={subject_pkinit_principal.short_name}))" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:534 msgid "{subject_rfc822_name[.short_name]}" msgstr "{subject_rfc822_name[.short_name]}" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:537 msgid "" "This template will add the string which is stored in the rfc822Name " "component of the SAN, typically an email address. The 'short_name' component " "represents the first part of the address before the '@' sign." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:543 msgid "" "Example: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." "short_name}))" msgstr "" "Příklad: (|(mail={subject_rfc822_name})(uid={subject_rfc822_name." "short_name}))" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:548 msgid "{subject_dns_name[.short_name]}" msgstr "{subject_dns_name[.short_name]}" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:551 msgid "" "This template will add the string which is stored in the dNSName component " "of the SAN, typically a fully-qualified host name. The 'short_name' " "component represents the first part of the name before the first '.' sign." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:557 msgid "" "Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" msgstr "" "Příklad: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:562 msgid "{subject_uri}" msgstr "{subject_uri}" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:565 msgid "" "This template will add the string which is stored in the " "uniformResourceIdentifier component of the SAN." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:569 msgid "Example: (uri={subject_uri})" msgstr "Příklad: (uri={subject_uri})" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:574 msgid "{subject_ip_address}" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:577 msgid "" "This template will add the string which is stored in the iPAddress component " "of the SAN." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:581 msgid "Example: (ip={subject_ip_address})" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:586 msgid "{subject_x400_address}" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:589 msgid "" "This template will add the value which is stored in the x400Address " "component of the SAN as escaped hex sequence." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:594 msgid "Example: (attr:binary={subject_x400_address})" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:599 msgid "" "{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:602 msgid "" "This template will add the DN string of the value which is stored in the " "directoryName component of the SAN." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:606 msgid "Example: (orig_dn={subject_directory_name})" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:611 msgid "{subject_ediparty_name}" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:614 msgid "" "This template will add the value which is stored in the ediPartyName " "component of the SAN as escaped hex sequence." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:619 msgid "Example: (attr:binary={subject_ediparty_name})" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:624 msgid "{subject_registered_id}" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:627 msgid "" "This template will add the OID which is stored in the registeredID component " "of the SAN as a dotted-decimal string." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:632 msgid "Example: (oid={subject_registered_id})" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss-certmap.5.xml:417 msgid "" "The templates to add certificate data to the search filter are based on " "Python-style formatting strings. They consist of a keyword in curly braces " "with an optional sub-component specifier separated by a '.' or an optional " "conversion/formatting option separated by a '!'. Allowed values are: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><title> #: sss-certmap.5.xml:639 msgid "LDAPU1 extension" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para> #: sss-certmap.5.xml:641 msgid "The following template are available when using the 'LDAPU1' extension:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:647 msgid "{serial_number[!(dec|hex[_ucr])]}" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:650 msgid "" "This template will add the serial number of the certificate. By default it " "will be printed as a hexadecimal number with lower-case letters." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:655 msgid "" "With the formatting option '!dec' the number will be printed as decimal " "string. The hexadecimal output can be printed with upper-case letters ('!" "hex_u'), with a colon separating the hexadecimal bytes ('!hex_c') or with " "the hexadecimal bytes in reverse order ('!hex_r'). The postfix letters can " "be combined so that e.g. '!hex_uc' will produce a colon-separated " "hexadecimal string with upper-case letters." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:665 #, fuzzy #| msgid "Example: (uri={subject_uri})" msgid "Example: LDAPU1:(serial={serial_number})" msgstr "Příklad: (uri={subject_uri})" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:671 msgid "{subject_key_id[!hex[_ucr]]}" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:674 msgid "" "This template will add the subject key id of the certificate. By default it " "will be printed as a hexadecimal number with lower-case letters." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:679 msgid "" "The hexadecimal output can be printed with upper-case letters ('!hex_u'), " "with a colon separating the hexadecimal bytes ('!hex_c') or with the " "hexadecimal bytes in reverse order ('!hex_r'). The postfix letters can be " "combined so that e.g. '!hex_uc' will produce a colon-separated hexadecimal " "string with upper-case letters." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:688 #, fuzzy #| msgid "Example: (uri={subject_uri})" msgid "Example: LDAPU1:(ski={subject_key_id})" msgstr "Příklad: (uri={subject_uri})" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:694 msgid "{cert[!DIGEST[_ucr]]}" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:697 msgid "" "This template will add the hexadecimal digest/hash of the certificate where " "DIGEST must be replaced with the name of a digest/hash function supported by " "OpenSSL, e.g. 'sha512'." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:703 msgid "" "The hexadecimal output can be printed with upper-case letters ('!sha512_u'), " "with a colon separating the hexadecimal bytes ('!sha512_c') or with the " "hexadecimal bytes in reverse order ('!sha512_r'). The postfix letters can be " "combined so that e.g. '!sha512_uc' will produce a colon-separated " "hexadecimal string with upper-case letters." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:712 msgid "Example: LDAPU1:(dgst={cert!sha256})" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:718 #, fuzzy #| msgid "{subject_dns_name[.short_name]}" msgid "{subject_dn_component[(.attr_name|[number]]}" msgstr "{subject_dns_name[.short_name]}" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:721 msgid "" "This template will add an attribute value of a component of the subject DN, " "by default the value of the most specific component." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:726 msgid "" "A different component can it either selected by attribute name, e.g. " "{subject_dn_component.uid} or by position, e.g. {subject_dn_component.[2]} " "where positive numbers start counting from the most specific component and " "negative numbers start counting from the least specific component. Attribute " "name and the position can be combined as e.g. {subject_dn_component.uid[2]} " "which means that the name of the second component must be 'uid'." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:737 #, fuzzy #| msgid "Example: (uri={subject_uri})" msgid "Example: LDAPU1:(uid={subject_dn_component.uid})" msgstr "Příklad: (uri={subject_uri})" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:743 msgid "{issuer_dn_component[(.attr_name|[number]]}" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:746 msgid "" "This template will add an attribute value of a component of the issuer DN, " "by default the value of the most specific component." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:751 msgid "" "See 'subject_dn_component' for details about the attribute name and position " "specifiers." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:755 msgid "" "Example: LDAPU1:(domain={issuer_dn_component.[-2]}.{issuer_dn_component." "dc[-1]})" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:760 msgid "{sid[.rid]}" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:763 msgid "" "This template will add the SID if the corresponding extension introduced by " "Microsoft with the OID 1.3.6.1.4.1.311.25.2 is available. With the '.rid' " "selector only the last component, i.e. the RID, will be added." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:770 msgid "Example: LDAPU1:(objectsid={sid})" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sss-certmap.5.xml:779 msgid "DOMAIN LIST" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss-certmap.5.xml:781 msgid "" "If the domain list is not empty users mapped to a given certificate are not " "only searched in the local domain but in the listed domains as well as long " "as they are know by SSSD. Domains not know to SSSD will be ignored." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 msgid "sssd-ipa" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sssd-ipa.5.xml:17 msgid "SSSD IPA provider" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ipa.5.xml:23 msgid "" "This manual page describes the configuration of the IPA provider for " "<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " "</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " "FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ipa.5.xml:36 msgid "" "The IPA provider is a back end used to connect to an IPA server. (Refer to " "the freeipa.org web site for information about IPA servers.) This provider " "requires that the machine be joined to the IPA domain; configuration is " "almost entirely self-discovered and obtained directly from the server." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ipa.5.xml:43 msgid "" "The IPA provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " "provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry> authentication provider with " "optimizations for IPA environments. The IPA provider accepts the same " "options used by the sssd-ldap and sssd-krb5 providers with some exceptions. " "However, it is neither necessary nor recommended to set these options." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ipa.5.xml:57 msgid "" "The IPA provider primarily copies the traditional ldap and krb5 provider " "default options with some exceptions, the differences are listed in the " "<quote>MODIFIED DEFAULT OPTIONS</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ipa.5.xml:62 msgid "" "As an access provider, the IPA provider has a minimal configuration (see " "<quote>ipa_access_order</quote>) as it mainly uses HBAC (host-based access " "control) rules. Please refer to freeipa.org for more information about HBAC." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ipa.5.xml:68 msgid "" "If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " "configured in sssd.conf then the id_provider must also be set to <quote>ipa</" "quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ipa.5.xml:74 msgid "" "The IPA provider will use the PAC responder if the Kerberos tickets of users " "from trusted realms contain a PAC. To make configuration easier the PAC " "responder is started automatically if the IPA ID provider is configured." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:90 msgid "ipa_domain (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:93 msgid "" "Specifies the name of the IPA domain. This is optional. If not provided, " "the configuration domain name is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:101 msgid "ipa_server, ipa_backup_server (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:104 msgid "" "The comma-separated list of IP addresses or hostnames of the IPA servers to " "which SSSD should connect in the order of preference. For more information " "on failover and server redundancy, see the <quote>FAILOVER</quote> section. " "This is optional if autodiscovery is enabled. For more information on " "service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:117 msgid "ipa_hostname (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:120 msgid "" "Optional. May be set on machines where the hostname(5) does not reflect the " "fully qualified name used in the IPA domain to identify this host. The " "hostname must be fully qualified." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:129 sssd-ad.5.xml:1181 msgid "dyndns_update (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:132 msgid "" "Optional. This option tells SSSD to automatically update the DNS server " "built into FreeIPA with the IP address of this client. The update is secured " "using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " "updates, if it is not otherwise specified by using the <quote>dyndns_iface</" "quote> option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:141 sssd-ad.5.xml:1195 msgid "" "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " "the default Kerberos realm must be set properly in /etc/krb5.conf" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:146 msgid "" "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_update</" "emphasis> option, users should migrate to using <emphasis>dyndns_update</" "emphasis> in their config file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:158 sssd-ad.5.xml:1206 msgid "dyndns_ttl (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:161 sssd-ad.5.xml:1209 msgid "" "The TTL to apply to the client DNS record when updating it. If " "dyndns_update is false this has no effect. This will override the TTL " "serverside if set by an administrator." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:166 msgid "" "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_ttl</" "emphasis> option, users should migrate to using <emphasis>dyndns_ttl</" "emphasis> in their config file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:172 msgid "Default: 1200 (seconds)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:178 sssd-ad.5.xml:1220 msgid "dyndns_iface (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:181 sssd-ad.5.xml:1223 msgid "" "Optional. Applicable only when dyndns_update is true. Choose the interface " "or a list of interfaces whose IP addresses should be used for dynamic DNS " "updates. Special value <quote>*</quote> implies that IPs from all interfaces " "should be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:188 msgid "" "NOTE: While it is still possible to use the old <emphasis>ipa_dyndns_iface</" "emphasis> option, users should migrate to using <emphasis>dyndns_iface</" "emphasis> in their config file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:194 msgid "" "Default: Use the IP addresses of the interface which is used for IPA LDAP " "connection" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:198 sssd-ad.5.xml:1234 msgid "Example: dyndns_iface = em1, vnet1, vnet2" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:204 sssd-ad.5.xml:1290 msgid "dyndns_auth (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:207 sssd-ad.5.xml:1293 msgid "" "Whether the nsupdate utility should use GSS-TSIG authentication for secure " "updates with the DNS server, insecure updates can be sent by setting this " "option to 'none'." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:213 sssd-ad.5.xml:1299 msgid "Default: GSS-TSIG" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:219 sssd-ad.5.xml:1305 msgid "dyndns_auth_ptr (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:222 sssd-ad.5.xml:1308 msgid "" "Whether the nsupdate utility should use GSS-TSIG authentication for secure " "PTR updates with the DNS server, insecure updates can be sent by setting " "this option to 'none'." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:228 sssd-ad.5.xml:1314 msgid "Default: Same as dyndns_auth" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:234 msgid "ipa_enable_dns_sites (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:237 sssd-ad.5.xml:238 msgid "Enables DNS sites - location based service discovery." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:241 msgid "" "If true and service discovery (see Service Discovery paragraph at the bottom " "of the man page) is enabled, then the SSSD will first attempt location " "based discovery using a query that contains \"_location.hostname.example." "com\" and then fall back to traditional SRV discovery. If the location based " "discovery succeeds, the IPA servers located with the location based " "discovery are treated as primary servers and the IPA servers located using " "the traditional SRV discovery are used as back up servers" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:260 sssd-ad.5.xml:1240 msgid "dyndns_refresh_interval (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:263 msgid "" "How often should the back end perform periodic DNS update in addition to the " "automatic update performed when the back end goes online. This option is " "optional and applicable only when dyndns_update is true." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:276 sssd-ad.5.xml:1258 msgid "dyndns_update_ptr (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:279 sssd-ad.5.xml:1261 msgid "" "Whether the PTR record should also be explicitly updated when updating the " "client's DNS records. Applicable only when dyndns_update is true." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:284 msgid "" "This option should be False in most IPA deployments as the IPA server " "generates the PTR records automatically when forward records are changed." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:290 sssd-ad.5.xml:1266 msgid "" "Note that <emphasis>dyndns_update_per_family</emphasis> parameter does not " "apply for PTR record updates. Those updates are always sent separately." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:295 msgid "Default: False (disabled)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:301 sssd-ad.5.xml:1277 msgid "dyndns_force_tcp (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:304 sssd-ad.5.xml:1280 msgid "" "Whether the nsupdate utility should default to using TCP for communicating " "with the DNS server." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:308 sssd-ad.5.xml:1284 msgid "Default: False (let nsupdate choose the protocol)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:314 sssd-ad.5.xml:1320 msgid "dyndns_server (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:317 sssd-ad.5.xml:1323 msgid "" "The DNS server to use when performing a DNS update. In most setups, it's " "recommended to leave this option unset." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:322 sssd-ad.5.xml:1328 msgid "" "Setting this option makes sense for environments where the DNS server is " "different from the identity server." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:327 sssd-ad.5.xml:1333 msgid "" "Please note that this option will be only used in fallback attempt when " "previous attempt using autodetected settings failed." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:332 sssd-ad.5.xml:1338 msgid "Default: None (let nsupdate choose the server)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:338 sssd-ad.5.xml:1344 msgid "dyndns_update_per_family (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:341 sssd-ad.5.xml:1347 msgid "" "DNS update is by default performed in two steps - IPv4 update and then IPv6 " "update. In some cases it might be desirable to perform IPv4 and IPv6 update " "in single step." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:353 #, fuzzy #| msgid "krb5_rcache_dir (string)" msgid "ipa_access_order (string)" msgstr "krb5_rcache_dir (řetězec)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:360 msgid "<emphasis>expire</emphasis>: use IPA's account expiration policy." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:399 msgid "" "Please note that 'access_provider = ipa' must be set for this feature to " "work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:406 msgid "ipa_deskprofile_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:409 msgid "" "Optional. Use the given string as search base for Desktop Profile related " "objects." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:413 sssd-ipa.5.xml:440 msgid "Default: Use base DN" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:419 #, fuzzy #| msgid "simple_deny_users (string)" msgid "ipa_subid_ranges_search_base (string)" msgstr "simple_deny_users (řetězec)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:422 msgid "" "Optional. Use the given string as search base for subordinate ranges related " "objects." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:426 msgid "Default: the value of <emphasis>cn=subids,%basedn</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:433 msgid "ipa_hbac_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:436 msgid "Optional. Use the given string as search base for HBAC related objects." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:446 msgid "ipa_host_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:449 msgid "Deprecated. Use ldap_host_search_base instead." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:455 msgid "ipa_selinux_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:458 msgid "Optional. Use the given string as search base for SELinux user maps." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:474 msgid "ipa_subdomains_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:477 msgid "Optional. Use the given string as search base for trusted domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:486 msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:493 msgid "ipa_master_domain_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:496 msgid "Optional. Use the given string as search base for master domain object." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:505 msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:512 msgid "ipa_views_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:515 msgid "Optional. Use the given string as search base for views containers." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:524 msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:534 msgid "" "The name of the Kerberos realm. This is optional and defaults to the value " "of <quote>ipa_domain</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:538 msgid "" "The name of the Kerberos realm has a special meaning in IPA - it is " "converted into the base DN to use for performing LDAP operations." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:546 sssd-ad.5.xml:1362 msgid "krb5_confd_path (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:549 sssd-ad.5.xml:1365 msgid "" "Absolute path of a directory where SSSD should place Kerberos configuration " "snippets." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:553 sssd-ad.5.xml:1369 msgid "" "To disable the creation of the configuration snippets set the parameter to " "'none'." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:557 sssd-ad.5.xml:1373 msgid "" "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:564 msgid "ipa_deskprofile_refresh (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:567 msgid "" "The amount of time between lookups of the Desktop Profile rules against the " "IPA server. This will reduce the latency and load on the IPA server if there " "are many desktop profiles requests made in a short period." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:574 sssd-ipa.5.xml:604 sssd-ipa.5.xml:620 sssd-ad.5.xml:599 msgid "Default: 5 (seconds)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:580 msgid "ipa_deskprofile_request_interval (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:583 msgid "" "The amount of time between lookups of the Desktop Profile rules against the " "IPA server in case the last request did not return any rule." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:588 msgid "Default: 60 (minutes)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:594 msgid "ipa_hbac_refresh (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:597 msgid "" "The amount of time between lookups of the HBAC rules against the IPA server. " "This will reduce the latency and load on the IPA server if there are many " "access-control requests made in a short period." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:610 msgid "ipa_hbac_selinux (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:613 msgid "" "The amount of time between lookups of the SELinux maps against the IPA " "server. This will reduce the latency and load on the IPA server if there are " "many user login requests made in a short period." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:626 msgid "ipa_server_mode (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:629 msgid "" "This option will be set by the IPA installer (ipa-server-install) " "automatically and denotes if SSSD is running on an IPA server or not." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:634 msgid "" "On an IPA server SSSD will lookup users and groups from trusted domains " "directly while on a client it will ask an IPA server." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:639 msgid "" "NOTE: There are currently some assumptions that must be met when SSSD is " "running on an IPA server." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ipa.5.xml:644 msgid "" "The <quote>ipa_server</quote> option must be configured to point to the IPA " "server itself. This is already the default set by the IPA installer, so no " "manual change is required." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ipa.5.xml:653 msgid "" "The <quote>full_name_format</quote> option must not be tweaked to only print " "short names for users from trusted domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:668 msgid "ipa_automount_location (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:671 msgid "The automounter location this IPA client will be using" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:674 msgid "Default: The location named \"default\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd-ipa.5.xml:682 msgid "VIEWS AND OVERRIDES" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:691 msgid "ipa_view_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:694 msgid "Objectclass of the view container." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:697 msgid "Default: nsContainer" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:703 msgid "ipa_view_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:706 msgid "Name of the attribute holding the name of the view." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:710 sssd-ldap-attributes.5.xml:496 #: sssd-ldap-attributes.5.xml:832 sssd-ldap-attributes.5.xml:913 #: sssd-ldap-attributes.5.xml:1010 sssd-ldap-attributes.5.xml:1068 #: sssd-ldap-attributes.5.xml:1226 sssd-ldap-attributes.5.xml:1271 msgid "Default: cn" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:716 msgid "ipa_override_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:719 msgid "Objectclass of the override objects." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:722 msgid "Default: ipaOverrideAnchor" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:728 msgid "ipa_anchor_uuid (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:731 msgid "" "Name of the attribute containing the reference to the original object in a " "remote domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:735 msgid "Default: ipaAnchorUUID" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:741 msgid "ipa_user_override_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:744 msgid "" "Name of the objectclass for user overrides. It is used to determine if the " "found override object is related to a user or a group." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:749 msgid "User overrides can contain attributes given by" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ipa.5.xml:752 msgid "ldap_user_name" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ipa.5.xml:755 msgid "ldap_user_uid_number" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ipa.5.xml:758 msgid "ldap_user_gid_number" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ipa.5.xml:761 msgid "ldap_user_gecos" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ipa.5.xml:764 msgid "ldap_user_home_directory" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ipa.5.xml:767 msgid "ldap_user_shell" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ipa.5.xml:770 msgid "ldap_user_ssh_public_key" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:775 msgid "Default: ipaUserOverride" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:781 msgid "ipa_group_override_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:784 msgid "" "Name of the objectclass for group overrides. It is used to determine if the " "found override object is related to a user or a group." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:789 msgid "Group overrides can contain attributes given by" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ipa.5.xml:792 msgid "ldap_group_name" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ipa.5.xml:795 msgid "ldap_group_gid_number" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:800 msgid "Default: ipaGroupOverride" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd-ipa.5.xml:684 msgid "" "SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " "later version. Since all paths and objectclasses are fixed on the server " "side there is basically no need to configure anything. For completeness the " "related options are listed here with their default values. <placeholder " "type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ipa.5.xml:812 msgid "SUBDOMAINS PROVIDER" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ipa.5.xml:814 msgid "" "The IPA subdomains provider behaves slightly differently if it is configured " "explicitly or implicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ipa.5.xml:818 msgid "" "If the option 'subdomains_provider = ipa' is found in the domain section of " "sssd.conf, the IPA subdomains provider is configured explicitly, and all " "subdomain requests are sent to the IPA server if necessary." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ipa.5.xml:824 msgid "" "If the option 'subdomains_provider' is not set in the domain section of sssd." "conf but there is the option 'id_provider = ipa', the IPA subdomains " "provider is configured implicitly. In this case, if a subdomain request " "fails and indicates that the server does not support subdomains, i.e. is not " "configured for trusts, the IPA subdomains provider is disabled. After an " "hour or after the IPA provider goes online, the subdomains provider is " "enabled again." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ipa.5.xml:835 msgid "TRUSTED DOMAINS CONFIGURATION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-ipa.5.xml:843 #, no-wrap msgid "" "[domain/ipa.domain.com/ad.domain.com]\n" "ad_server = dc.ad.domain.com\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ipa.5.xml:837 msgid "" "Some configuration options can also be set for a trusted domain. A trusted " "domain configuration can be set using the trusted domain subsection as shown " "in the example below. Alternatively, the <quote>subdomain_inherit</quote> " "option can be used in the parent domain. <placeholder " "type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ipa.5.xml:848 msgid "" "For more details, see the <citerefentry> <refentrytitle>sssd.conf</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ipa.5.xml:855 msgid "" "Different configuration options are tunable for a trusted domain depending " "on whether you are configuring SSSD on an IPA server or an IPA client." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd-ipa.5.xml:860 msgid "OPTIONS TUNABLE ON IPA MASTERS" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd-ipa.5.xml:862 msgid "" "The following options can be set in a subdomain section on an IPA master:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> #: sssd-ipa.5.xml:866 sssd-ipa.5.xml:896 msgid "ad_server" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> #: sssd-ipa.5.xml:869 msgid "ad_backup_server" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> #: sssd-ipa.5.xml:872 sssd-ipa.5.xml:899 msgid "ad_site" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> #: sssd-ipa.5.xml:875 msgid "ldap_search_base" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> #: sssd-ipa.5.xml:878 msgid "ldap_user_search_base" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> #: sssd-ipa.5.xml:881 msgid "ldap_group_search_base" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd-ipa.5.xml:890 msgid "OPTIONS TUNABLE ON IPA CLIENTS" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd-ipa.5.xml:892 msgid "" "The following options can be set in a subdomain section on an IPA client:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd-ipa.5.xml:904 msgid "" "Note that if both options are set, only <quote>ad_server</quote> is " "evaluated." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd-ipa.5.xml:908 msgid "" "Since any request for a user or a group identity from a trusted domain " "triggered from an IPA client is resolved by the IPA server, the " "<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " "which AD DC will the authentication be performed against. In particular, the " "addresses resolved from these lists will be written to <quote>kdcinfo</" "quote> files read by the Kerberos locator plugin. Please refer to the " "<citerefentry> <refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " "<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " "Kerberos locator plugin." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ipa.5.xml:932 msgid "" "The following example assumes that SSSD is correctly configured and example." "com is one of the domains in the <replaceable>[sssd]</replaceable> section. " "This examples shows only the ipa provider-specific options." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-ipa.5.xml:939 #, no-wrap msgid "" "[domain/example.com]\n" "id_provider = ipa\n" "ipa_server = ipaserver.example.com\n" "ipa_hostname = myhost.example.com\n" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssd-ad.5.xml:10 sssd-ad.5.xml:16 msgid "sssd-ad" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sssd-ad.5.xml:17 msgid "SSSD Active Directory provider" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ad.5.xml:23 msgid "" "This manual page describes the configuration of the AD provider for " "<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " "</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " "FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ad.5.xml:36 msgid "" "The AD provider is a back end used to connect to an Active Directory server. " "This provider requires that the machine be joined to the AD domain and a " "keytab is available. Back end communication occurs over a GSSAPI-encrypted " "channel, SSL/TLS options should not be used with the AD provider and will be " "superseded by Kerberos usage." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ad.5.xml:44 msgid "" "The AD provider supports connecting to Active Directory 2008 R2 or later. " "Earlier versions may work, but are unsupported." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ad.5.xml:48 msgid "" "The AD provider can be used to get user information and authenticate users " "from trusted domains. Currently only trusted domains in the same forest are " "recognized. In addition servers from trusted domains are always auto-" "discovered." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ad.5.xml:54 msgid "" "The AD provider enables SSSD to use the <citerefentry> <refentrytitle>sssd-" "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> identity " "provider and the <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry> authentication provider with " "optimizations for Active Directory environments. The AD provider accepts the " "same options used by the sssd-ldap and sssd-krb5 providers with some " "exceptions. However, it is neither necessary nor recommended to set these " "options." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ad.5.xml:69 msgid "" "The AD provider primarily copies the traditional ldap and krb5 provider " "default options with some exceptions, the differences are listed in the " "<quote>MODIFIED DEFAULT OPTIONS</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ad.5.xml:74 msgid "" "The AD provider can also be used as an access, chpass, sudo and autofs " "provider. No configuration of the access provider is required on the client " "side." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ad.5.xml:79 msgid "" "If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " "configured in sssd.conf then the id_provider must also be set to <quote>ad</" "quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-ad.5.xml:91 #, no-wrap msgid "" "ldap_id_mapping = False\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ad.5.xml:85 msgid "" "By default, the AD provider will map UID and GID values from the objectSID " "parameter in Active Directory. For details on this, see the <quote>ID " "MAPPING</quote> section below. If you want to disable ID mapping and instead " "rely on POSIX attributes defined in Active Directory, you should set " "<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " "be used, it is recommended for performance reasons that the attributes are " "also replicated to the Global Catalog. If POSIX attributes are replicated, " "SSSD will attempt to locate the domain of a requested numerical ID with the " "help of the Global Catalog and only search that domain. In contrast, if " "POSIX attributes are not replicated to the Global Catalog, SSSD must search " "all the domains in the forest sequentially. Please note that the " "<quote>cache_first</quote> option might be also helpful in speeding up " "domainless searches. Note that if only a subset of POSIX attributes is " "present in the Global Catalog, the non-replicated attributes are currently " "not read from the LDAP port." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ad.5.xml:108 msgid "" "Users, groups and other entities served by SSSD are always treated as case-" "insensitive in the AD provider for compatibility with Active Directory's " "LDAP implementation." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ad.5.xml:113 msgid "" "SSSD only resolves Active Directory Security Groups. For more information " "about AD group types see: <ulink url=\"https://docs.microsoft.com/en-us/" "windows-server/identity/ad-ds/manage/understand-security-groups\"> Active " "Directory security groups</ulink>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ad.5.xml:120 msgid "" "SSSD filters out Domain Local groups from remote domains in the AD forest. " "By default they are filtered out e.g. when following a nested group " "hierarchy in remote domains because they are not valid in the local domain. " "This is done to be in agreement with Active Directory's group-membership " "assignment which can be seen in the PAC of the Kerberos ticket of a user " "issued by Active Directory." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:138 msgid "ad_domain (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:141 msgid "" "Specifies the name of the Active Directory domain. This is optional. If not " "provided, the configuration domain name is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:146 msgid "" "For proper operation, this option should be specified as the lower-case " "version of the long version of the Active Directory domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:151 msgid "" "The short domain name (also known as the NetBIOS or the flat name) is " "autodetected by the SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:158 msgid "ad_enabled_domains (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:161 msgid "" "A comma-separated list of enabled Active Directory domains. If provided, " "SSSD will ignore any domains not listed in this option. If left unset, all " "discovered domains from the AD forest will be available." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:168 msgid "" "During the discovery of the domains SSSD will filter out some domains where " "flags or attributes indicate that they do not belong to the local forest or " "are not trusted. If ad_enabled_domains is set, SSSD will try to enable all " "listed domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> #: sssd-ad.5.xml:179 #, no-wrap msgid "" "ad_enabled_domains = sales.example.com, eng.example.com\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:175 msgid "" "For proper operation, this option must be specified in all lower-case and as " "the fully qualified domain name of the Active Directory domain. For example: " "<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:183 msgid "" "The short domain name (also known as the NetBIOS or the flat name) will be " "autodetected by SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:193 msgid "ad_server, ad_backup_server (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:196 msgid "" "The comma-separated list of hostnames of the AD servers to which SSSD should " "connect in order of preference. For more information on failover and server " "redundancy, see the <quote>FAILOVER</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:203 msgid "" "This is optional if autodiscovery is enabled. For more information on " "service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:208 msgid "" "Note: Trusted domains will always auto-discover servers even if the primary " "server is explicitly defined in the ad_server option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:216 msgid "ad_hostname (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:219 msgid "" "Optional. On machines where the hostname(5) does not reflect the fully " "qualified name, sssd will try to expand the short name. If it is not " "possible or the short name should be really used instead, set this parameter " "explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:226 msgid "" "This field is used to determine the host principal in use in the keytab and " "to perform dynamic DNS updates. It must match the hostname for which the " "keytab was issued." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:235 msgid "ad_enable_dns_sites (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:242 msgid "" "If true and service discovery (see Service Discovery paragraph at the bottom " "of the man page) is enabled, the SSSD will first attempt to discover the " "Active Directory server to connect to using the Active Directory Site " "Discovery and fall back to the DNS SRV records if no AD site is found. The " "DNS SRV configuration, including the discovery domain, is used during site " "discovery as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:258 msgid "ad_access_filter (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:261 msgid "" "This option specifies LDAP access control filter that the user must match in " "order to be allowed access. Please note that the <quote>access_provider</" "quote> option must be explicitly set to <quote>ad</quote> in order for this " "option to have an effect." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:269 msgid "" "The option also supports specifying different filters per domain or forest. " "This extended filter would consist of: <quote>KEYWORD:NAME:FILTER</quote>. " "The keyword can be either <quote>DOM</quote>, <quote>FOREST</quote> or " "missing." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:277 msgid "" "If the keyword equals to <quote>DOM</quote> or is missing, then <quote>NAME</" "quote> specifies the domain or subdomain the filter applies to. If the " "keyword equals to <quote>FOREST</quote>, then the filter equals to all " "domains from the forest specified by <quote>NAME</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:285 msgid "" "Multiple filters can be separated with the <quote>?</quote> character, " "similarly to how search bases work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:290 msgid "" "Nested group membership must be searched for using a special OID " "<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full DOM:domain." "example.org: syntax to ensure the parser does not attempt to interpret the " "colon characters associated with the OID. If you do not use this OID then " "nested group membership will not be resolved. See usage example below and " "refer here for further information about the OID: <ulink url=\"https://msdn." "microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] section LDAP " "extensions</ulink>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:303 msgid "" "The most specific match is always used. For example, if the option specified " "filter for a domain the user is a member of and a global filter, the per-" "domain filter would be applied. If there are more matches with the same " "specification, the first one is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> #: sssd-ad.5.xml:314 #, no-wrap msgid "" "# apply filter on domain called dom1 only:\n" "dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" "\n" "# apply filter on domain called dom2 only:\n" "DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" "\n" "# apply filter on forest called EXAMPLE.COM only:\n" "FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" "\n" "# apply filter for a member of a nested group in dom1:\n" "DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:333 msgid "ad_site (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:336 msgid "" "Specify AD site to which client should try to connect. If this option is " "not provided, the AD site will be auto-discovered." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:347 msgid "ad_enable_gc (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:350 msgid "" "By default, the SSSD connects to the Global Catalog first to retrieve users " "from trusted domains and uses the LDAP port to retrieve group memberships or " "as a fallback. Disabling this option makes the SSSD only connect to the LDAP " "port of the current AD server." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:358 msgid "" "Please note that disabling Global Catalog support does not disable " "retrieving users from trusted domains. The SSSD would connect to the LDAP " "port of trusted domains instead. However, Global Catalog must be used in " "order to resolve cross-domain group memberships." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:372 msgid "ad_gpo_access_control (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:375 msgid "" "This option specifies the operation mode for GPO-based access control " "functionality: whether it operates in disabled mode, enforcing mode, or " "permissive mode. Please note that the <quote>access_provider</quote> option " "must be explicitly set to <quote>ad</quote> in order for this option to have " "an effect." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:384 msgid "" "GPO-based access control functionality uses GPO policy settings to determine " "whether or not a particular user is allowed to logon to the host. For more " "information on the supported policy settings please refer to the " "<quote>ad_gpo_map</quote> options." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:392 msgid "" "Please note that current version of SSSD does not support Active Directory's " "built-in groups. Built-in groups (such as Administrators with SID " "S-1-5-32-544) in GPO access control rules will be ignored by SSSD. See " "upstream issue tracker https://github.com/SSSD/sssd/issues/5063 ." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:401 msgid "" "Before performing access control SSSD applies group policy security " "filtering on the GPOs. For every single user login, the applicability of the " "GPOs that are linked to the host is checked. In order for a GPO to apply to " "a user, the user or at least one of the groups to which it belongs must have " "following permissions on the GPO:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:411 msgid "" "Read: The user or one of its groups must have read access to the properties " "of the GPO (RIGHT_DS_READ_PROPERTY)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:418 msgid "" "Apply Group Policy: The user or at least one of its groups must be allowed " "to apply the GPO (RIGHT_DS_CONTROL_ACCESS)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:426 msgid "" "By default, the Authenticated Users group is present on a GPO and this group " "has both Read and Apply Group Policy access rights. Since authentication of " "a user must have been completed successfully before GPO security filtering " "and access control are started, the Authenticated Users group permissions on " "the GPO always apply also to the user." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:435 msgid "" "NOTE: If the operation mode is set to enforcing, it is possible that users " "that were previously allowed logon access will now be denied logon access " "(as dictated by the GPO policy settings). In order to facilitate a smooth " "transition for administrators, a permissive mode is available that will not " "enforce the access control rules, but will evaluate them and will output a " "syslog message if access would have been denied. By examining the logs, " "administrators can then make the necessary changes before setting the mode " "to enforcing. For logging GPO-based access control debug level 'trace " "functions' is required (see <citerefentry> <refentrytitle>sssctl</" "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> manual page)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:454 msgid "There are three supported values for this option:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:458 msgid "" "disabled: GPO-based access control rules are neither evaluated nor enforced." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:464 msgid "enforcing: GPO-based access control rules are evaluated and enforced." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:470 msgid "" "permissive: GPO-based access control rules are evaluated, but not enforced. " "Instead, a syslog message will be emitted indicating that the user would " "have been denied access if this option's value were set to enforcing." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:481 msgid "Default: permissive" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:484 msgid "Default: enforcing" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:490 msgid "ad_gpo_implicit_deny (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:493 msgid "" "Normally when no applicable GPOs are found the users are allowed access. " "When this option is set to True users will be allowed access only when " "explicitly allowed by a GPO rule. Otherwise users will be denied access. " "This can be used to harden security but be careful when using this option " "because it can deny access even to users in the built-in Administrators " "group if no GPO rules apply to them." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:509 msgid "" "The following 2 tables should illustrate when a user is allowed or rejected " "based on the allow and deny login rights defined on the server-side and the " "setting of ad_gpo_implicit_deny." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry> #: sssd-ad.5.xml:521 msgid "ad_gpo_implicit_deny = False (default)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry> #: sssd-ad.5.xml:522 sssd-ad.5.xml:548 msgid "allow-rules" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry> #: sssd-ad.5.xml:522 sssd-ad.5.xml:548 msgid "deny-rules" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry> #: sssd-ad.5.xml:523 sssd-ad.5.xml:549 msgid "results" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry> #: sssd-ad.5.xml:526 sssd-ad.5.xml:529 sssd-ad.5.xml:532 sssd-ad.5.xml:552 #: sssd-ad.5.xml:555 sssd-ad.5.xml:558 msgid "missing" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para> #: sssd-ad.5.xml:527 msgid "all users are allowed" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry> #: sssd-ad.5.xml:529 sssd-ad.5.xml:532 sssd-ad.5.xml:535 sssd-ad.5.xml:555 #: sssd-ad.5.xml:558 sssd-ad.5.xml:561 msgid "present" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para> #: sssd-ad.5.xml:530 msgid "only users not in deny-rules are allowed" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para> #: sssd-ad.5.xml:533 sssd-ad.5.xml:559 msgid "only users in allow-rules are allowed" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para> #: sssd-ad.5.xml:536 sssd-ad.5.xml:562 msgid "only users in allow-rules and not in deny-rules are allowed" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry> #: sssd-ad.5.xml:547 msgid "ad_gpo_implicit_deny = True" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para> #: sssd-ad.5.xml:553 sssd-ad.5.xml:556 msgid "no users are allowed" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:569 msgid "ad_gpo_ignore_unreadable (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:572 msgid "" "Normally when some group policy containers (AD object) of applicable group " "policy objects are not readable by SSSD then users are denied access. This " "option allows to ignore group policy containers and with them associated " "policies if their attributes in group policy containers are not readable for " "SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:589 msgid "ad_gpo_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:592 msgid "" "The amount of time between lookups of GPO policy files against the AD " "server. This will reduce the latency and load on the AD server if there are " "many access-control requests made in a short period." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:605 msgid "ad_gpo_map_interactive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:608 msgid "" "A comma-separated list of PAM service names for which GPO-based access " "control is evaluated based on the InteractiveLogonRight and " "DenyInteractiveLogonRight policy settings. Only those GPOs are evaluated " "for which the user has Read and Apply Group Policy permission (see option " "<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " "deny interactive logon setting for the user or one of its groups, the user " "is denied local access. If none of the evaluated GPOs has an interactive " "logon right defined, the user is granted local access. If at least one " "evaluated GPO contains interactive logon right settings, the user is granted " "local access only, if it or at least one of its groups is part of the policy " "settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:626 msgid "" "Note: Using the Group Policy Management Editor this value is called \"Allow " "log on locally\" and \"Deny log on locally\"." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> #: sssd-ad.5.xml:640 #, no-wrap msgid "" "ad_gpo_map_interactive = +my_pam_service, -login\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:631 msgid "" "It is possible to add another PAM service name to the default set by using " "<quote>+service_name</quote> or to explicitly remove a PAM service name from " "the default set by using <quote>-service_name</quote>. For example, in " "order to replace a default PAM service name for this logon right (e.g. " "<quote>login</quote>) with a custom pam service name (e.g. " "<quote>my_pam_service</quote>), you would use the following configuration: " "<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:663 msgid "gdm-fingerprint" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:683 msgid "lightdm" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:688 msgid "lxdm" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:693 msgid "sddm" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:698 msgid "unity" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:703 msgid "xdm" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:712 msgid "ad_gpo_map_remote_interactive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:715 msgid "" "A comma-separated list of PAM service names for which GPO-based access " "control is evaluated based on the RemoteInteractiveLogonRight and " "DenyRemoteInteractiveLogonRight policy settings. Only those GPOs are " "evaluated for which the user has Read and Apply Group Policy permission (see " "option <quote>ad_gpo_access_control</quote>). If an evaluated GPO contains " "the deny remote logon setting for the user or one of its groups, the user is " "denied remote interactive access. If none of the evaluated GPOs has a " "remote interactive logon right defined, the user is granted remote access. " "If at least one evaluated GPO contains remote interactive logon right " "settings, the user is granted remote access only, if it or at least one of " "its groups is part of the policy settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:734 msgid "" "Note: Using the Group Policy Management Editor this value is called \"Allow " "log on through Remote Desktop Services\" and \"Deny log on through Remote " "Desktop Services\"." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> #: sssd-ad.5.xml:749 #, no-wrap msgid "" "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:740 msgid "" "It is possible to add another PAM service name to the default set by using " "<quote>+service_name</quote> or to explicitly remove a PAM service name from " "the default set by using <quote>-service_name</quote>. For example, in " "order to replace a default PAM service name for this logon right (e.g. " "<quote>sshd</quote>) with a custom pam service name (e.g. " "<quote>my_pam_service</quote>), you would use the following configuration: " "<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:757 msgid "sshd" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:762 msgid "cockpit" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:771 msgid "ad_gpo_map_network (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:774 msgid "" "A comma-separated list of PAM service names for which GPO-based access " "control is evaluated based on the NetworkLogonRight and " "DenyNetworkLogonRight policy settings. Only those GPOs are evaluated for " "which the user has Read and Apply Group Policy permission (see option " "<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " "deny network logon setting for the user or one of its groups, the user is " "denied network logon access. If none of the evaluated GPOs has a network " "logon right defined, the user is granted logon access. If at least one " "evaluated GPO contains network logon right settings, the user is granted " "logon access only, if it or at least one of its groups is part of the policy " "settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:792 msgid "" "Note: Using the Group Policy Management Editor this value is called \"Access " "this computer from the network\" and \"Deny access to this computer from the " "network\"." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> #: sssd-ad.5.xml:807 #, no-wrap msgid "" "ad_gpo_map_network = +my_pam_service, -ftp\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:798 msgid "" "It is possible to add another PAM service name to the default set by using " "<quote>+service_name</quote> or to explicitly remove a PAM service name from " "the default set by using <quote>-service_name</quote>. For example, in " "order to replace a default PAM service name for this logon right (e.g. " "<quote>ftp</quote>) with a custom pam service name (e.g. " "<quote>my_pam_service</quote>), you would use the following configuration: " "<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:815 msgid "ftp" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:820 msgid "samba" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:829 msgid "ad_gpo_map_batch (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:832 msgid "" "A comma-separated list of PAM service names for which GPO-based access " "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " "policy settings. Only those GPOs are evaluated for which the user has Read " "and Apply Group Policy permission (see option <quote>ad_gpo_access_control</" "quote>). If an evaluated GPO contains the deny batch logon setting for the " "user or one of its groups, the user is denied batch logon access. If none " "of the evaluated GPOs has a batch logon right defined, the user is granted " "logon access. If at least one evaluated GPO contains batch logon right " "settings, the user is granted logon access only, if it or at least one of " "its groups is part of the policy settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:850 msgid "" "Note: Using the Group Policy Management Editor this value is called \"Allow " "log on as a batch job\" and \"Deny log on as a batch job\"." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> #: sssd-ad.5.xml:864 #, no-wrap msgid "" "ad_gpo_map_batch = +my_pam_service, -crond\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:855 msgid "" "It is possible to add another PAM service name to the default set by using " "<quote>+service_name</quote> or to explicitly remove a PAM service name from " "the default set by using <quote>-service_name</quote>. For example, in " "order to replace a default PAM service name for this logon right (e.g. " "<quote>crond</quote>) with a custom pam service name (e.g. " "<quote>my_pam_service</quote>), you would use the following configuration: " "<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:867 msgid "" "Note: Cron service name may differ depending on Linux distribution used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:873 msgid "crond" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:882 msgid "ad_gpo_map_service (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:885 msgid "" "A comma-separated list of PAM service names for which GPO-based access " "control is evaluated based on the ServiceLogonRight and " "DenyServiceLogonRight policy settings. Only those GPOs are evaluated for " "which the user has Read and Apply Group Policy permission (see option " "<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " "deny service logon setting for the user or one of its groups, the user is " "denied service logon access. If none of the evaluated GPOs has a service " "logon right defined, the user is granted logon access. If at least one " "evaluated GPO contains service logon right settings, the user is granted " "logon access only, if it or at least one of its groups is part of the policy " "settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:903 msgid "" "Note: Using the Group Policy Management Editor this value is called \"Allow " "log on as a service\" and \"Deny log on as a service\"." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> #: sssd-ad.5.xml:916 #, no-wrap msgid "" "ad_gpo_map_service = +my_pam_service\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:908 sssd-ad.5.xml:983 msgid "" "It is possible to add a PAM service name to the default set by using " "<quote>+service_name</quote>. Since the default set is empty, it is not " "possible to remove a PAM service name from the default set. For example, in " "order to add a custom pam service name (e.g. <quote>my_pam_service</quote>), " "you would use the following configuration: <placeholder " "type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:926 msgid "ad_gpo_map_permit (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:929 msgid "" "A comma-separated list of PAM service names for which GPO-based access is " "always granted, regardless of any GPO Logon Rights." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> #: sssd-ad.5.xml:943 #, no-wrap msgid "" "ad_gpo_map_permit = +my_pam_service, -sudo\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:934 msgid "" "It is possible to add another PAM service name to the default set by using " "<quote>+service_name</quote> or to explicitly remove a PAM service name from " "the default set by using <quote>-service_name</quote>. For example, in " "order to replace a default PAM service name for unconditionally permitted " "access (e.g. <quote>sudo</quote>) with a custom pam service name (e.g. " "<quote>my_pam_service</quote>), you would use the following configuration: " "<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:951 msgid "polkit-1" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:966 msgid "systemd-user" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:975 msgid "ad_gpo_map_deny (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:978 msgid "" "A comma-separated list of PAM service names for which GPO-based access is " "always denied, regardless of any GPO Logon Rights." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> #: sssd-ad.5.xml:991 #, no-wrap msgid "" "ad_gpo_map_deny = +my_pam_service\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:1001 msgid "ad_gpo_default_right (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:1004 msgid "" "This option defines how access control is evaluated for PAM service names " "that are not explicitly listed in one of the ad_gpo_map_* options. This " "option can be set in two different manners. First, this option can be set to " "use a default logon right. For example, if this option is set to " "'interactive', it means that unmapped PAM service names will be processed " "based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " "settings. Alternatively, this option can be set to either always permit or " "always deny access for unmapped PAM service names." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:1017 msgid "Supported values for this option include:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:1026 msgid "remote_interactive" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:1031 msgid "network" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:1036 msgid "batch" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:1041 msgid "service" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:1046 msgid "permit" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:1051 msgid "deny" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:1057 msgid "Default: deny" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:1063 msgid "ad_maximum_machine_account_password_age (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:1066 msgid "" "SSSD will check once a day if the machine account password is older than the " "given age in days and try to renew it. A value of 0 will disable the renewal " "attempt." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:1072 msgid "Default: 30 days" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:1078 msgid "ad_machine_account_password_renewal_opts (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:1081 msgid "" "This option should only be used to test the machine account renewal task. " "The option expects 2 integers separated by a colon (':'). The first integer " "defines the interval in seconds how often the task is run. The second " "specifies the initial timeout in seconds before the task is run for the " "first time after startup." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:1090 msgid "Default: 86400:750 (24h and 15m)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:1096 msgid "ad_update_samba_machine_account_password (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:1099 msgid "" "If enabled, when SSSD renews the machine account password, it will also be " "updated in Samba's database. This prevents Samba's copy of the machine " "account password from getting out of date when it is set up to use AD for " "authentication." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:1112 msgid "ad_use_ldaps (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:1115 msgid "" "By default SSSD uses the plain LDAP port 389 and the Global Catalog port " "3628. If this option is set to True SSSD will use the LDAPS port 636 and " "Global Catalog port 3629 with LDAPS protection. Since AD does not allow to " "have multiple encryption layers on a single connection and we still want to " "use SASL/GSSAPI or SASL/GSS-SPNEGO for authentication the SASL security " "property maxssf is set to 0 (zero) for those connections." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:1132 msgid "ad_allow_remote_domain_local_groups (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:1135 msgid "" "If this option is set to <quote>true</quote> SSSD will not filter out Domain " "Local groups from remote domains in the AD forest. By default they are " "filtered out e.g. when following a nested group hierarchy in remote domains " "because they are not valid in the local domain. To be compatible with other " "solutions which make AD users and groups available on Linux client this " "option was added." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:1145 msgid "" "Please note that setting this option to <quote>true</quote> will be against " "the intention of Domain Local group in Active Directory and <emphasis>SHOULD " "ONLY BE USED TO FACILITATE MIGRATION FROM OTHER SOLUTIONS</emphasis>. " "Although the group exists and user can be member of the group the intention " "is that the group should be only used in the domain it is defined and in no " "others. Since there is only one type of POSIX groups the only way to achieve " "this on the Linux side is to ignore those groups. This is also done by " "Active Directory as can be seen in the PAC of the Kerberos ticket for a " "local service or in tokenGroups requests where remote Domain Local groups " "are missing as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:1161 msgid "" "Given the comments above, if this option is set to <quote>true</quote> the " "tokenGroups request must be disabled by setting <quote>ldap_use_tokengroups</" "quote> to <quote>false</quote> to get consistent group-memberships of a " "users. Additionally the Global Catalog lookup should be skipped as well by " "setting <quote>ad_enable_gc</quote> to <quote>false</quote>. Finally it " "might be necessary to modify <quote>ldap_group_nesting_level</quote> if the " "remote Domain Local groups can only be found with a deeper nesting level." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:1184 msgid "" "Optional. This option tells SSSD to automatically update the Active " "Directory DNS server with the IP address of this client. The update is " "secured using GSS-TSIG. As a consequence, the Active Directory administrator " "only needs to allow secure updates for the DNS zone. The IP address of the " "AD LDAP connection is used for the updates, if it is not otherwise specified " "by using the <quote>dyndns_iface</quote> option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:1214 msgid "Default: 3600 (seconds)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:1230 msgid "" "Default: Use the IP addresses of the interface which is used for AD LDAP " "connection" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:1243 msgid "" "How often should the back end perform periodic DNS update in addition to the " "automatic update performed when the back end goes online. This option is " "optional and applicable only when dyndns_update is true. Note that the " "lowest possible value is 60 seconds in-case if value is provided less than " "60, parameter will assume lowest value only." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ad.5.xml:1393 msgid "" "The following example assumes that SSSD is correctly configured and example." "com is one of the domains in the <replaceable>[sssd]</replaceable> section. " "This example shows only the AD provider-specific options." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-ad.5.xml:1400 #, no-wrap msgid "" "[domain/EXAMPLE]\n" "id_provider = ad\n" "auth_provider = ad\n" "access_provider = ad\n" "chpass_provider = ad\n" "\n" "ad_server = dc1.example.com\n" "ad_hostname = client.example.com\n" "ad_domain = example.com\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-ad.5.xml:1420 #, no-wrap msgid "" "access_provider = ldap\n" "ldap_access_order = expire\n" "ldap_account_expire_policy = ad\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ad.5.xml:1416 msgid "" "The AD access control provider checks if the account is expired. It has the " "same effect as the following configuration of the LDAP provider: " "<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ad.5.xml:1426 msgid "" "However, unless the <quote>ad</quote> access control provider is explicitly " "configured, the default access provider is <quote>permit</quote>. Please " "note that if you configure an access provider other than <quote>ad</quote>, " "you need to set all the connection parameters (such as LDAP URIs and " "encryption details) manually." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ad.5.xml:1434 msgid "" "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " "attribute mapping (nisMap, nisObject, ...) is used, because these attributes " "are included in the default Active Directory schema." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 msgid "sssd-sudo" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sssd-sudo.5.xml:17 msgid "Configuring sudo with the SSSD back end" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:23 msgid "" "This manual page describes how to configure <citerefentry> " "<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " "to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " "<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-sudo.5.xml:36 msgid "Configuring sudo to cooperate with SSSD" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:38 msgid "" "To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " "the <emphasis>sudoers</emphasis> entry in <citerefentry> " "<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> </" "citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:47 msgid "" "For example, to configure sudo to first lookup rules in the standard " "<citerefentry> <refentrytitle>sudoers</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry> file (which should contain rules that apply to " "local users) and then in SSSD, the nsswitch.conf file should contain the " "following line:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-sudo.5.xml:57 #, no-wrap msgid "sudoers: files sss\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:61 msgid "" "More information about configuring the sudoers search order from the " "nsswitch.conf file as well as information about the LDAP schema that is used " "to store sudo rules in the directory can be found in <citerefentry> " "<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> </" "citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:70 msgid "" "<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " "sudo rules, you also need to correctly set <citerefentry> " "<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> </" "citerefentry> to your NIS domain name (which equals to IPA domain name when " "using hostgroups)." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-sudo.5.xml:82 msgid "Configuring SSSD to fetch sudo rules" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:84 msgid "" "All configuration that is needed on SSSD side is to extend the list of " "<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " "<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry>. To speed up the LDAP lookups, you can also set " "search base for sudo rules using <emphasis>ldap_sudo_search_base</emphasis> " "option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:94 msgid "" "The following example shows how to configure SSSD to download sudo rules " "from an LDAP server." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-sudo.5.xml:99 #, no-wrap msgid "" "[sssd]\n" "config_file_version = 2\n" "services = nss, pam, sudo\n" "domains = EXAMPLE\n" "\n" "[domain/EXAMPLE]\n" "id_provider = ldap\n" "sudo_provider = ldap\n" "ldap_uri = ldap://example.com\n" "ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:98 msgid "" "<placeholder type=\"programlisting\" id=\"0\"/> <phrase " "condition=\"have_systemd\"> It's important to note that on platforms where " "systemd is supported there's no need to add the \"sudo\" provider to the " "list of services, as it became optional. However, sssd-sudo.socket must be " "enabled instead. </phrase>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:118 msgid "" "When SSSD is configured to use IPA as the ID provider, the sudo provider is " "automatically enabled. The sudo search base is configured to use the IPA " "native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " "sssd.conf, this value will be used instead. The compat tree (ou=sudoers," "$SUFFIX) is no longer required for IPA sudo functionality." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-sudo.5.xml:128 msgid "The SUDO rule caching mechanism" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:130 msgid "" "The biggest challenge, when developing sudo support in SSSD, was to ensure " "that running sudo with SSSD as the data source provides the same user " "experience and is as fast as sudo but keeps providing the most current set " "of rules as possible. To satisfy these requirements, SSSD uses three kinds " "of updates. They are referred to as full refresh, smart refresh and rules " "refresh." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:138 msgid "" "The <emphasis>smart refresh</emphasis> periodically downloads rules that are " "new or were modified after the last update. Its primary goal is to keep the " "database growing by fetching only small increments that do not generate " "large amounts of network traffic." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:144 msgid "" "The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " "in the cache and replaces them with all rules that are stored on the server. " "This is used to keep the cache consistent by removing every rule which was " "deleted from the server. However, full refresh may produce a lot of traffic " "and thus it should be run only occasionally depending on the size and " "stability of the sudo rules." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:152 msgid "" "The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " "more permission than defined. It is triggered each time the user runs sudo. " "Rules refresh will find all rules that apply to this user, check their " "expiration time and redownload them if expired. In the case that any of " "these rules are missing on the server, the SSSD will do an out of band full " "refresh because more rules (that apply to other users) may have been deleted." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:161 msgid "" "If enabled, SSSD will store only rules that can be applied to this machine. " "This means rules that contain one of the following values in " "<emphasis>sudoHost</emphasis> attribute:" msgstr "" #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> #: sssd-sudo.5.xml:168 msgid "keyword ALL" msgstr "" #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> #: sssd-sudo.5.xml:173 msgid "wildcard" msgstr "" #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> #: sssd-sudo.5.xml:178 msgid "netgroup (in the form \"+netgroup\")" msgstr "" #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> #: sssd-sudo.5.xml:183 msgid "hostname or fully qualified domain name of this machine" msgstr "" #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> #: sssd-sudo.5.xml:188 msgid "one of the IP addresses of this machine" msgstr "" #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> #: sssd-sudo.5.xml:193 msgid "one of the IP addresses of the network (in the form \"address/mask\")" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:199 msgid "" "There are many configuration options that can be used to adjust the " "behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" "citerefentry> and \"sudo_*\" in <citerefentry> <refentrytitle>sssd.conf</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-sudo.5.xml:213 msgid "Tuning the performance" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:215 msgid "" "SSSD uses different kinds of mechanisms with more or less complex LDAP " "filters to keep the cached sudo rules up to date. The default configuration " "is set to values that should satisfy most of our users, but the following " "paragraphs contain few tips on how to fine- tune the configuration to your " "requirements." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:222 msgid "" "1. <emphasis>Index LDAP attributes</emphasis>. Make sure that following LDAP " "attributes are indexed: objectClass, cn, entryUSN or modifyTimestamp." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:227 msgid "" "2. <emphasis>Set ldap_sudo_search_base</emphasis>. Set the search base to " "the container that holds the sudo rules to limit the scope of the lookup." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:232 msgid "" "3. <emphasis>Set full and smart refresh interval</emphasis>. If your sudo " "rules do not change often and you do not require quick update of cached " "rules on your clients, you may consider increasing the " "<emphasis>ldap_sudo_full_refresh_interval</emphasis> and " "<emphasis>ldap_sudo_smart_refresh_interval</emphasis>. You may also consider " "disabling the smart refresh by setting " "<emphasis>ldap_sudo_smart_refresh_interval = 0</emphasis>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:241 msgid "" "4. If you have large number of clients, you may consider increasing the " "value of <emphasis>ldap_sudo_random_offset</emphasis> to distribute the load " "on the server better." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssd.8.xml:10 sssd.8.xml:15 msgid "sssd" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sssd.8.xml:16 msgid "System Security Services Daemon" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> #: sssd.8.xml:21 msgid "" "<command>sssd</command> <arg choice='opt'> <replaceable>options</" "replaceable> </arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.8.xml:31 msgid "" "<command>SSSD</command> provides a set of daemons to manage access to remote " "directories and authentication mechanisms. It provides an NSS and PAM " "interface toward the system and a pluggable backend system to connect to " "multiple different account sources as well as D-Bus interface. It is also " "the basis to provide client auditing and policy services for projects like " "FreeIPA. It provides a more robust database to store local users as well as " "extended user data." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.8.xml:46 msgid "" "<option>-d</option>,<option>--debug-level</option> <replaceable>LEVEL</" "replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.8.xml:53 msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:57 msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:60 msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.8.xml:69 msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:73 msgid "" "<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:76 msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.8.xml:85 msgid "<option>--logger=</option><replaceable>value</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:89 msgid "Location where SSSD will send log messages." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:92 msgid "" "<emphasis>stderr</emphasis>: Redirect debug messages to standard error " "output." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:96 msgid "" "<emphasis>files</emphasis>: Redirect debug messages to the log files. By " "default, the log files are stored in <filename>/var/log/sssd</filename> and " "there are separate log files for every SSSD service and domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:102 msgid "" "<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:106 msgid "" "Default: not set (fall back to journald if available, otherwise to stderr)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.8.xml:113 msgid "<option>-D</option>,<option>--daemon</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:117 msgid "Become a daemon after starting up." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.8.xml:123 sss_seed.8.xml:136 msgid "<option>-i</option>,<option>--interactive</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:127 msgid "Run in the foreground, don't become a daemon." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.8.xml:133 msgid "<option>-c</option>,<option>--config</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:137 msgid "" "Specify a non-default config file. The default is <filename>/etc/sssd/sssd." "conf</filename>. For reference on the config file syntax and options, " "consult the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.8.xml:150 msgid "<option>-g</option>,<option>--genconf</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:154 msgid "" "Do not start the SSSD, but refresh the configuration database from the " "contents of <filename>/etc/sssd/sssd.conf</filename> and exit." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.8.xml:162 msgid "<option>-s</option>,<option>--genconf-section</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:166 msgid "" "Similar to <quote>--genconf</quote>, but only refresh a single section from " "the configuration file. This option is useful mainly to be called from " "systemd unit files to allow socket-activated responders to refresh their " "configuration without requiring the administrator to restart the whole SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.8.xml:178 msgid "<option>--version</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:182 msgid "Print version number and exit." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd.8.xml:190 msgid "Signals" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.8.xml:193 msgid "SIGTERM/SIGINT" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:196 msgid "" "Informs the SSSD to gracefully terminate all of its child processes and then " "shut down the monitor." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.8.xml:202 msgid "SIGHUP" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:205 msgid "" "Tells the SSSD to stop writing to its current debug file descriptors and to " "close and reopen them. This is meant to facilitate log rolling with programs " "like logrotate." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.8.xml:213 msgid "SIGUSR1" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:216 msgid "" "Tells the SSSD to simulate offline operation for the duration of the " "<quote>offline_timeout</quote> parameter. This is useful for testing. The " "signal can be sent to either the sssd process or any sssd_be process " "directly." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.8.xml:225 msgid "SIGUSR2" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:228 msgid "" "Tells the SSSD to go online immediately. This is useful for testing. The " "signal can be sent to either the sssd process or any sssd_be process " "directly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.8.xml:240 msgid "" "If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " "applications will not use the fast in-memory cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.8.xml:244 msgid "" "If the environment variable SSS_LOCKFREE is set to \"NO\", requests from " "multiple threads of a single application will be serialized." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 msgid "sss_obfuscate" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sss_obfuscate.8.xml:16 msgid "obfuscate a clear text password" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> #: sss_obfuscate.8.xml:21 msgid "" "<command>sss_obfuscate</command> <arg choice='opt'> <replaceable>options</" "replaceable> </arg> <arg choice='plain'><replaceable>[PASSWORD]</" "replaceable></arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_obfuscate.8.xml:32 msgid "" "<command>sss_obfuscate</command> converts a given password into human-" "unreadable format and places it into appropriate domain section of the SSSD " "config file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_obfuscate.8.xml:37 msgid "" "The cleartext password is read from standard input or entered " "interactively. The obfuscated password is put into " "<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " "<quote>ldap_default_authtok_type</quote> parameter is set to " "<quote>obfuscated_password</quote>. Refer to <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> </" "citerefentry> for more details on these parameters." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_obfuscate.8.xml:49 msgid "" "Please note that obfuscating the password provides <emphasis>no real " "security benefit</emphasis> as it is still possible for an attacker to " "reverse-engineer the password back. Using better authentication mechanisms " "such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " "advised." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_obfuscate.8.xml:63 msgid "<option>-s</option>,<option>--stdin</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_obfuscate.8.xml:67 msgid "The password to obfuscate will be read from standard input." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 #: sss_ssh_knownhostsproxy.1.xml:78 msgid "" "<option>-d</option>,<option>--domain</option> <replaceable>DOMAIN</" "replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_obfuscate.8.xml:79 msgid "" "The SSSD domain to use the password in. The default name is <quote>default</" "quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_obfuscate.8.xml:86 msgid "" "<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_obfuscate.8.xml:91 msgid "Read the config file specified by the positional parameter." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_obfuscate.8.xml:95 msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sss_override.8.xml:10 sss_override.8.xml:15 msgid "sss_override" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sss_override.8.xml:16 msgid "create local overrides of user and group attributes" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> #: sss_override.8.xml:21 msgid "" "<command>sss_override</command> <arg choice='plain'><replaceable>COMMAND</" "replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" "arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_override.8.xml:32 msgid "" "<command>sss_override</command> enables to create a client-side view and " "allows to change selected values of specific user and groups. This change " "takes effect only on local machine." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_override.8.xml:37 msgid "" "Overrides data are stored in the SSSD cache. If the cache is deleted, all " "local overrides are lost. Please note that after the first override is " "created using any of the following <emphasis>user-add</emphasis>, " "<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " "<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " "take effect. <emphasis>sss_override</emphasis> prints message when a " "restart is required." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_override.8.xml:48 msgid "" "<emphasis>NOTE:</emphasis> The options provided in this man page only work " "with <quote>ldap</quote> and <quote>AD</quote> <quote> id_provider</quote>. " "IPA overrides can be managed centrally on the IPA server." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sss_override.8.xml:56 sssctl.8.xml:41 msgid "AVAILABLE COMMANDS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_override.8.xml:58 msgid "" "Argument <emphasis>NAME</emphasis> is the name of original object in all " "commands. It is not possible to override <emphasis>uid</emphasis> or " "<emphasis>gid</emphasis> to 0." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_override.8.xml:65 msgid "" "<option>user-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" "name</option> NAME</optional> <optional><option>-u,--uid</option> UID</" "optional> <optional><option>-g,--gid</option> GID</optional> " "<optional><option>-h,--home</option> HOME</optional> <optional><option>-s,--" "shell</option> SHELL</optional> <optional><option>-c,--gecos</option> GECOS</" "optional> <optional><option>-x,--certificate</option> BASE64 ENCODED " "CERTIFICATE</optional>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:78 msgid "" "Override attributes of an user. Please be aware that calling this command " "will replace any previous override for the (NAMEd) user." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_override.8.xml:86 msgid "<option>user-del</option> <emphasis>NAME</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:91 msgid "" "Remove user overrides. However be aware that overridden attributes might be " "returned from memory cache. Please see SSSD option " "<emphasis>memcache_timeout</emphasis> for more details." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_override.8.xml:100 msgid "" "<option>user-find</option> <optional><option>-d,--domain</option> DOMAIN</" "optional>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:105 msgid "" "List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " "is set, only users from the domain are listed." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_override.8.xml:113 msgid "<option>user-show</option> <emphasis>NAME</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:118 msgid "Show user overrides." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_override.8.xml:124 msgid "<option>user-import</option> <emphasis>FILE</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:129 msgid "" "Import user overrides from <emphasis>FILE</emphasis>. Data format is " "similar to standard passwd file. The format is:" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:134 msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:137 msgid "" "where original_name is original name of the user whose attributes should be " "overridden. The rest of fields correspond to new values. You can omit a " "value simply by leaving corresponding field empty." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:146 msgid "ckent:superman::::::" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:149 msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_override.8.xml:155 msgid "<option>user-export</option> <emphasis>FILE</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:160 msgid "" "Export all overridden attributes and store them in <emphasis>FILE</" "emphasis>. See <emphasis>user-import</emphasis> for data format." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_override.8.xml:168 msgid "" "<option>group-add</option> <emphasis>NAME</emphasis> <optional><option>-n,--" "name</option> NAME</optional> <optional><option>-g,--gid</option> GID</" "optional>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:175 msgid "" "Override attributes of a group. Please be aware that calling this command " "will replace any previous override for the (NAMEd) group." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_override.8.xml:183 msgid "<option>group-del</option> <emphasis>NAME</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:188 msgid "" "Remove group overrides. However be aware that overridden attributes might be " "returned from memory cache. Please see SSSD option " "<emphasis>memcache_timeout</emphasis> for more details." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_override.8.xml:197 msgid "" "<option>group-find</option> <optional><option>-d,--domain</option> DOMAIN</" "optional>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:202 msgid "" "List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " "parameter is set, only groups from the domain are listed." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_override.8.xml:210 msgid "<option>group-show</option> <emphasis>NAME</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:215 msgid "Show group overrides." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_override.8.xml:221 msgid "<option>group-import</option> <emphasis>FILE</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:226 msgid "" "Import group overrides from <emphasis>FILE</emphasis>. Data format is " "similar to standard group file. The format is:" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:231 msgid "original_name:name:gid" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:234 msgid "" "where original_name is original name of the group whose attributes should be " "overridden. The rest of fields correspond to new values. You can omit a " "value simply by leaving corresponding field empty." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:243 msgid "admins:administrators:" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:246 msgid "Domain Users:Users:501" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_override.8.xml:252 msgid "<option>group-export</option> <emphasis>FILE</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:257 msgid "" "Export all overridden attributes and store them in <emphasis>FILE</" "emphasis>. See <emphasis>group-import</emphasis> for data format." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sss_override.8.xml:267 sssctl.8.xml:50 msgid "COMMON OPTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_override.8.xml:269 sssctl.8.xml:52 msgid "Those options are available with all commands." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_override.8.xml:274 sssctl.8.xml:57 msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 msgid "sssd-krb5" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sssd-krb5.5.xml:17 msgid "SSSD Kerberos provider" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-krb5.5.xml:23 msgid "" "This manual page describes the configuration of the Kerberos 5 " "authentication backend for <citerefentry> <refentrytitle>sssd</" "refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. For a detailed " "syntax reference, please refer to the <quote>FILE FORMAT</quote> section of " "the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-krb5.5.xml:36 msgid "" "The Kerberos 5 authentication backend contains auth and chpass providers. It " "must be paired with an identity provider in order to function properly (for " "example, id_provider = ldap). Some information required by the Kerberos 5 " "authentication backend must be provided by the identity provider, such as " "the user's Kerberos Principal Name (UPN). The configuration of the identity " "provider should have an entry to specify the UPN. Please refer to the man " "page for the applicable identity provider for details on how to configure " "this." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-krb5.5.xml:47 msgid "" "This backend also provides access control based on the .k5login file in the " "home directory of the user. See <citerefentry> <refentrytitle>k5login</" "refentrytitle><manvolnum>5</manvolnum> </citerefentry> for more details. " "Please note that an empty .k5login file will deny all access to this user. " "To activate this feature, use 'access_provider = krb5' in your SSSD " "configuration." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-krb5.5.xml:55 msgid "" "In the case where the UPN is not available in the identity backend, " "<command>sssd</command> will construct a UPN using the format " "<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:77 msgid "" "Specifies the comma-separated list of IP addresses or hostnames of the " "Kerberos servers to which SSSD should connect, in the order of preference. " "For more information on failover and server redundancy, see the " "<quote>FAILOVER</quote> section. An optional port number (preceded by a " "colon) may be appended to the addresses or hostnames. If empty, service " "discovery is enabled; for more information, refer to the <quote>SERVICE " "DISCOVERY</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:106 msgid "" "The name of the Kerberos realm. This option is required and must be " "specified." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:113 msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:116 msgid "" "If the change password service is not running on the KDC, alternative " "servers can be defined here. An optional port number (preceded by a colon) " "may be appended to the addresses or hostnames." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:122 msgid "" "For more information on failover and server redundancy, see the " "<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " "servers to try, the backend is not switched to operate offline if " "authentication against the KDC is still possible." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:129 msgid "Default: Use the KDC" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:135 msgid "krb5_ccachedir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:138 msgid "" "Directory to store credential caches. All the substitution sequences of " "krb5_ccname_template can be used here, too, except %d and %P. The directory " "is created as private and owned by the user, with permissions set to 0700." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:145 msgid "Default: /tmp" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:151 msgid "krb5_ccname_template (string)" msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:165 include/override_homedir.xml:11 msgid "%u" msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:166 include/override_homedir.xml:12 msgid "login name" msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:169 include/override_homedir.xml:15 msgid "%U" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:170 msgid "login UID" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:173 msgid "%p" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:174 msgid "principal name" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:178 msgid "%r" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:179 msgid "realm name" msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:182 include/override_homedir.xml:42 msgid "%h" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:183 sssd-ifp.5.xml:124 msgid "home directory" msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:187 include/override_homedir.xml:19 msgid "%d" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:188 msgid "value of krb5_ccachedir" msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:193 include/override_homedir.xml:31 msgid "%P" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:194 msgid "the process ID of the SSSD client" msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:199 include/override_homedir.xml:56 msgid "%%" msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:200 include/override_homedir.xml:57 msgid "a literal '%'" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:154 msgid "" "Location of the user's credential cache. Three credential cache types are " "currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " "<quote>KEYRING:persistent</quote>. The cache can be specified either as " "<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " "implies the <quote>FILE</quote> type. In the template, the following " "sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " "the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " "filename in a safe way." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:208 msgid "" "When using KEYRING types, the only supported mechanism is <quote>KEYRING:" "persistent:%U</quote>, which uses the Linux kernel keyring to store " "credentials on a per-UID basis. This is also the recommended choice, as it " "is the most secure and predictable method." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:216 msgid "" "The default value for the credential cache name is sourced from the profile " "stored in the system wide krb5.conf configuration file in the [libdefaults] " "section. The option name is default_ccache_name. See krb5.conf(5)'s " "PARAMETER EXPANSION paragraph for additional information on the expansion " "format defined by krb5.conf." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:225 msgid "" "NOTE: Please be aware that libkrb5 ccache expansion template from " "<citerefentry> <refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry> uses different expansion sequences than SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:234 msgid "Default: (from libkrb5)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:240 msgid "krb5_keytab (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:243 msgid "" "The location of the keytab to use when validating credentials obtained from " "KDCs." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:253 msgid "krb5_store_password_if_offline (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:256 msgid "" "Store the password of the user if the provider is offline and use it to " "request a TGT when the provider comes online again." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:261 msgid "" "NOTE: this feature is only available on Linux. Passwords stored in this way " "are kept in plaintext in the kernel keyring and are potentially accessible " "by the root user (with difficulty)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:274 msgid "krb5_use_fast (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:277 msgid "" "Enables flexible authentication secure tunneling (FAST) for Kerberos pre-" "authentication. The following options are supported:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:282 msgid "" "<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " "option at all." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:286 msgid "" "<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " "continue the authentication without it." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:291 msgid "" "<emphasis>demand</emphasis> to use FAST. The authentication fails if the " "server does not require fast." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:296 msgid "Default: not set, i.e. FAST is not used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:299 msgid "NOTE: a keytab or support for anonymous PKINIT is required to use FAST." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:303 msgid "" "NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " "SSSD is used with an older version of MIT Kerberos, using this option is a " "configuration error." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:312 msgid "krb5_fast_principal (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:315 msgid "Specifies the server principal to use for FAST." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:321 msgid "krb5_fast_use_anonymous_pkinit (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:324 msgid "" "If set to true try to use anonymous PKINIT instead of a keytab to get the " "required credential for FAST. The krb5_fast_principal options is ignored in " "this case." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:364 msgid "krb5_kdcinfo_lookahead (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:367 msgid "" "When krb5_use_kdcinfo is set to true, you can limit the amount of servers " "handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" "refentrytitle> <manvolnum>8</manvolnum> </citerefentry>. This might be " "helpful when there are too many servers discovered using SRV record." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:377 msgid "" "The krb5_kdcinfo_lookahead option contains two numbers separated by a colon. " "The first number represents number of primary servers used and the second " "number specifies the number of backup servers." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:383 msgid "" "For example <emphasis>10:0</emphasis> means that up to 10 primary servers " "will be handed to <citerefentry> <refentrytitle>sssd_krb5_locator_plugin</" "refentrytitle> <manvolnum>8</manvolnum> </citerefentry> but no backup " "servers." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:392 msgid "Default: 3:1" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:398 msgid "krb5_use_enterprise_principal (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:401 msgid "" "Specifies if the user principal should be treated as enterprise principal. " "See section 5 of RFC 6806 for more details about enterprise principals." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:407 msgid "Default: false (AD provider: true)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:410 msgid "" "The IPA provider will set to option to 'true' if it detects that the server " "is capable of handling enterprise principals and the option is not set " "explicitly in the config file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:419 msgid "krb5_use_subdomain_realm (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:422 msgid "" "Specifies to use subdomains realms for the authentication of users from " "trusted domains. This option can be set to 'true' if enterprise principals " "are used with upnSuffixes which are not known on the parent domain KDCs. If " "the option is set to 'true' SSSD will try to send the request directly to a " "KDC of the trusted domain the user is coming from." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:438 msgid "krb5_map_user (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:441 msgid "" "The list of mappings is given as a comma-separated list of pairs " "<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " "name and <quote>primary</quote> is a user part of a kerberos principal. This " "mapping is used when user is authenticating using <quote>auth_provider = " "krb5</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> #: sssd-krb5.5.xml:453 #, no-wrap msgid "" "krb5_realm = REALM\n" "krb5_map_user = joe:juser,dick:richard\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:458 msgid "" "<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " "<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " "principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " "try to kinit as <quote>juser@REALM</quote> resp. <quote>richard@REALM</" "quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-krb5.5.xml:65 msgid "" "If the auth-module krb5 is used in an SSSD domain, the following options " "must be used. See the <citerefentry> <refentrytitle>sssd.conf</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page, section " "<quote>DOMAIN SECTIONS</quote>, for details on the configuration of an SSSD " "domain. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-krb5.5.xml:485 msgid "" "The following example assumes that SSSD is correctly configured and FOO is " "one of the domains in the <replaceable>[sssd]</replaceable> section. This " "example shows only configuration of Kerberos authentication; it does not " "include any identity provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-krb5.5.xml:493 #, no-wrap msgid "" "[domain/FOO]\n" "auth_provider = krb5\n" "krb5_server = 192.168.1.1\n" "krb5_realm = EXAMPLE.COM\n" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sss_cache.8.xml:10 sss_cache.8.xml:15 msgid "sss_cache" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sss_cache.8.xml:16 msgid "perform cache cleanup" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> #: sss_cache.8.xml:21 msgid "" "<command>sss_cache</command> <arg choice='opt'> <replaceable>options</" "replaceable> </arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_cache.8.xml:31 msgid "" "<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " "records are forced to be reloaded from server as soon as related SSSD " "backend is online. Options that invalidate a single object only accept a " "single provided argument." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_cache.8.xml:43 msgid "<option>-E</option>,<option>--everything</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_cache.8.xml:47 msgid "Invalidate all cached entries." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_cache.8.xml:53 msgid "" "<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_cache.8.xml:58 msgid "Invalidate specific user." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_cache.8.xml:64 msgid "<option>-U</option>,<option>--users</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_cache.8.xml:68 msgid "" "Invalidate all user records. This option overrides invalidation of specific " "user if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_cache.8.xml:75 msgid "" "<option>-g</option>,<option>--group</option> <replaceable>group</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_cache.8.xml:80 msgid "Invalidate specific group." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_cache.8.xml:86 msgid "<option>-G</option>,<option>--groups</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_cache.8.xml:90 msgid "" "Invalidate all group records. This option overrides invalidation of specific " "group if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_cache.8.xml:97 msgid "" "<option>-n</option>,<option>--netgroup</option> <replaceable>netgroup</" "replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_cache.8.xml:102 msgid "Invalidate specific netgroup." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_cache.8.xml:108 msgid "<option>-N</option>,<option>--netgroups</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_cache.8.xml:112 msgid "" "Invalidate all netgroup records. This option overrides invalidation of " "specific netgroup if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_cache.8.xml:119 msgid "" "<option>-s</option>,<option>--service</option> <replaceable>service</" "replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_cache.8.xml:124 msgid "Invalidate specific service." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_cache.8.xml:130 msgid "<option>-S</option>,<option>--services</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_cache.8.xml:134 msgid "" "Invalidate all service records. This option overrides invalidation of " "specific service if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_cache.8.xml:141 msgid "" "<option>-a</option>,<option>--autofs-map</option> <replaceable>autofs-map</" "replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_cache.8.xml:146 msgid "Invalidate specific autofs maps." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_cache.8.xml:152 msgid "<option>-A</option>,<option>--autofs-maps</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_cache.8.xml:156 msgid "" "Invalidate all autofs maps. This option overrides invalidation of specific " "map if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_cache.8.xml:163 msgid "" "<option>-h</option>,<option>--ssh-host</option> <replaceable>hostname</" "replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_cache.8.xml:168 msgid "Invalidate SSH public keys of a specific host." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_cache.8.xml:174 msgid "<option>-H</option>,<option>--ssh-hosts</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_cache.8.xml:178 msgid "" "Invalidate SSH public keys of all hosts. This option overrides invalidation " "of SSH public keys of specific host if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_cache.8.xml:186 msgid "" "<option>-r</option>,<option>--sudo-rule</option> <replaceable>rule</" "replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_cache.8.xml:191 msgid "Invalidate particular sudo rule." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_cache.8.xml:197 msgid "<option>-R</option>,<option>--sudo-rules</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_cache.8.xml:201 msgid "" "Invalidate all cached sudo rules. This option overrides invalidation of " "specific sudo rule if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_cache.8.xml:209 msgid "" "<option>-d</option>,<option>--domain</option> <replaceable>domain</" "replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_cache.8.xml:214 msgid "Restrict invalidation process only to a particular domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sss_cache.8.xml:224 msgid "EFFECTS ON THE FAST MEMORY CACHE" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_cache.8.xml:226 msgid "" "<command>sss_cache</command> also invalidates the memory cache. Since the " "memory cache is a file which is mapped into the memory of each process which " "called SSSD to resolve users or groups the file cannot be truncated. A " "special flag is set in the header of the file to indicate that the content " "is invalid and then the file is unlinked by SSSD's NSS responder and a new " "cache file is created. Whenever a process is now doing a new lookup for a " "user or a group it will see the flag, close the old memory cache file and " "map the new one into its memory. When all processes which had opened the old " "memory cache file have closed it while looking up a user or a group the " "kernel can release the occupied disk space and the old memory cache file is " "finally removed completely." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_cache.8.xml:240 msgid "" "A special case is long running processes which are doing user or group " "lookups only at startup, e.g. to determine the name of the user the process " "is running as. For those lookups the memory cache file is mapped into the " "memory of the process. But since there will be no further lookups this " "process would never detect if the memory cache file was invalidated and " "hence it will be kept in memory and will occupy disk space until the process " "stops. As a result calling <command>sss_cache</command> might increase the " "disk usage because old memory cache files cannot be removed from the disk " "because they are still mapped by long running processes." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_cache.8.xml:252 msgid "" "A possible work-around for long running processes which are looking up users " "and groups only at startup or very rarely is to run them with the " "environment variable SSS_NSS_USE_MEMCACHE set to \"NO\" so that they won't " "use the memory cache at all and not map the memory cache file into the " "memory. In general a better solution is to tune the cache timeout parameters " "so that they meet the local expectations and calling <command>sss_cache</" "command> is not needed." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 msgid "sss_debuglevel" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sss_debuglevel.8.xml:16 msgid "[DEPRECATED] change debug level while SSSD is running" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> #: sss_debuglevel.8.xml:21 msgid "" "<command>sss_debuglevel</command> <arg choice='opt'> <replaceable>options</" "replaceable> </arg> <arg choice='plain'><replaceable>NEW_DEBUG_LEVEL</" "replaceable></arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_debuglevel.8.xml:32 msgid "" "<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " "debug-level command. Please refer to the <command>sssctl</command> man page " "for more information on sssctl usage." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sss_seed.8.xml:10 sss_seed.8.xml:15 msgid "sss_seed" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sss_seed.8.xml:16 msgid "seed the SSSD cache with a user" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> #: sss_seed.8.xml:21 msgid "" "<command>sss_seed</command> <arg choice='opt'> <replaceable>options</" "replaceable> </arg> <arg choice='plain'>-D <replaceable>DOMAIN</" "replaceable></arg> <arg choice='plain'>-n <replaceable>USER</replaceable></" "arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_seed.8.xml:33 msgid "" "<command>sss_seed</command> seeds the SSSD cache with a user entry and " "temporary password. If a user entry is already present in the SSSD cache " "then the entry is updated with the temporary password." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_seed.8.xml:46 msgid "" "<option>-D</option>,<option>--domain</option> <replaceable>DOMAIN</" "replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_seed.8.xml:51 msgid "" "Provide the name of the domain in which the user is a member of. The domain " "is also used to retrieve user information. The domain must be configured in " "sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " "Information retrieved from the domain overrides what is provided in the " "options." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_seed.8.xml:63 msgid "" "<option>-n</option>,<option>--username</option> <replaceable>USER</" "replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_seed.8.xml:68 msgid "" "The username of the entry to be created or modified in the cache. The " "<replaceable>USER</replaceable> option must be provided." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_seed.8.xml:76 msgid "" "<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_seed.8.xml:81 msgid "Set the UID of the user to <replaceable>UID</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_seed.8.xml:88 msgid "" "<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_seed.8.xml:93 msgid "Set the GID of the user to <replaceable>GID</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_seed.8.xml:100 msgid "" "<option>-c</option>,<option>--gecos</option> <replaceable>COMMENT</" "replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_seed.8.xml:105 msgid "" "Any text string describing the user. Often used as the field for the user's " "full name." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_seed.8.xml:112 msgid "" "<option>-h</option>,<option>--home</option> <replaceable>HOME_DIR</" "replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_seed.8.xml:117 msgid "" "Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_seed.8.xml:124 msgid "" "<option>-s</option>,<option>--shell</option> <replaceable>SHELL</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_seed.8.xml:129 msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_seed.8.xml:140 msgid "" "Interactive mode for entering user information. This option will only prompt " "for information not provided in the options or retrieved from the domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_seed.8.xml:148 msgid "" "<option>-p</option>,<option>--password-file</option> <replaceable>PASS_FILE</" "replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_seed.8.xml:153 msgid "" "Specify file to read user's password from. (if not specified password is " "prompted for)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_seed.8.xml:165 msgid "" "The length of the password (or the size of file specified with -p or --" "password-file option) must be less than or equal to PASS_MAX bytes (64 bytes " "on systems with no globally-defined PASS_MAX value)." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 msgid "sssd-ifp" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sssd-ifp.5.xml:17 msgid "SSSD InfoPipe responder" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ifp.5.xml:23 msgid "" "This manual page describes the configuration of the InfoPipe responder for " "<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " "</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " "FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ifp.5.xml:36 msgid "" "The InfoPipe responder provides a public D-Bus interface accessible over the " "system bus. The interface allows the user to query information about remote " "users and groups over the system bus." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd-ifp.5.xml:43 msgid "FIND BY VALID CERTIFICATE" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd-ifp.5.xml:45 msgid "" "The following options can be used to control how the certificates are " "validated when using the FindByValidCertificate() API:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> #: sssd-ifp.5.xml:48 sss_ssh_authorizedkeys.1.xml:92 msgid "ca_db" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> #: sssd-ifp.5.xml:49 sss_ssh_authorizedkeys.1.xml:93 msgid "p11_child_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> #: sssd-ifp.5.xml:50 sss_ssh_authorizedkeys.1.xml:94 msgid "certificate_verification" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd-ifp.5.xml:52 msgid "" "For more details about the options see <citerefentry><refentrytitle>sssd." "conf</refentrytitle> <manvolnum>5</manvolnum></citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ifp.5.xml:62 msgid "These options can be used to configure the InfoPipe responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-ifp.5.xml:69 msgid "" "Specifies the comma-separated list of UID values or user names that are " "allowed to access the InfoPipe responder. User names are resolved to UIDs at " "startup." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-ifp.5.xml:75 msgid "" "Default: 0 (only the root user is allowed to access the InfoPipe responder)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-ifp.5.xml:79 msgid "" "Please note that although the UID 0 is used as the default it will be " "overwritten with this option. If you still want to allow the root user to " "access the InfoPipe responder, which would be the typical case, you have to " "add 0 to the list of allowed UIDs as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-ifp.5.xml:93 msgid "Specifies the comma-separated list of white or blacklisted attributes." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd-ifp.5.xml:107 msgid "name" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd-ifp.5.xml:108 msgid "user's login name" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd-ifp.5.xml:111 msgid "uidNumber" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd-ifp.5.xml:112 msgid "user ID" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd-ifp.5.xml:115 msgid "gidNumber" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd-ifp.5.xml:116 msgid "primary group ID" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd-ifp.5.xml:119 msgid "gecos" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd-ifp.5.xml:120 msgid "user information, typically full name" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd-ifp.5.xml:123 msgid "homeDirectory" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd-ifp.5.xml:127 msgid "loginShell" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd-ifp.5.xml:128 msgid "user shell" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-ifp.5.xml:97 msgid "" "By default, the InfoPipe responder only allows the default set of POSIX " "attributes to be requested. This set is the same as returned by " "<citerefentry> <refentrytitle>getpwnam</refentrytitle> <manvolnum>3</" "manvolnum> </citerefentry> and includes: <placeholder type=\"variablelist\" " "id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> #: sssd-ifp.5.xml:141 #, no-wrap msgid "" "user_attributes = +telephoneNumber, -loginShell\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-ifp.5.xml:133 msgid "" "It is possible to add another attribute to this set by using " "<quote>+attr_name</quote> or explicitly remove an attribute using <quote>-" "attr_name</quote>. For example, to allow <quote>telephoneNumber</quote> but " "deny <quote>loginShell</quote>, you would use the following configuration: " "<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-ifp.5.xml:145 msgid "Default: not set. Only the default set of POSIX attributes is allowed." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-ifp.5.xml:155 msgid "" "Specifies an upper limit on the number of entries that are downloaded during " "a wildcard lookup that overrides caller-supplied limit." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-ifp.5.xml:160 msgid "Default: 0 (let the caller set an upper limit)" msgstr "" #. type: Content of: <reference><refentry><refentryinfo> #: sss_rpcidmapd.5.xml:8 msgid "" "<productname>sss rpc.idmapd plugin</productname> <author> <firstname>Noam</" "firstname> <surname>Meltzer</surname> <affiliation> <orgname>Primary Data " "Inc.</orgname> </affiliation> <contrib>Developer (2013-2014)</contrib> </" "author> <author> <firstname>Noam</firstname> <surname>Meltzer</surname> " "<contrib>Developer (2014-)</contrib> <email>tsnoam@gmail.com</email> </" "author>" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 msgid "sss_rpcidmapd" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sss_rpcidmapd.5.xml:33 msgid "sss plugin configuration directives for rpc.idmapd" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sss_rpcidmapd.5.xml:37 msgid "CONFIGURATION FILE" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_rpcidmapd.5.xml:39 msgid "" "rpc.idmapd configuration file is usually found at <emphasis>/etc/idmapd." "conf</emphasis>. See <citerefentry> <refentrytitle>idmapd.conf</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> for more information." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sss_rpcidmapd.5.xml:49 msgid "SSS CONFIGURATION EXTENSION" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sss_rpcidmapd.5.xml:51 msgid "Enable SSS plugin" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss_rpcidmapd.5.xml:53 msgid "" "In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " "attribute to contain <emphasis>sss</emphasis>." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sss_rpcidmapd.5.xml:59 msgid "[sss] config section" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss_rpcidmapd.5.xml:61 msgid "" "In order to change the default of one of the configuration attributes of the " "<emphasis>sss</emphasis> plugin listed below you will need to create a " "config section for it, named <quote>[sss]</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> #: sss_rpcidmapd.5.xml:67 msgid "Configuration attributes" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sss_rpcidmapd.5.xml:69 msgid "memcache (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sss_rpcidmapd.5.xml:72 msgid "Indicates whether or not to use memcache optimisation technique." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sss_rpcidmapd.5.xml:85 msgid "SSSD INTEGRATION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_rpcidmapd.5.xml:87 msgid "" "The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " "in sssd." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_rpcidmapd.5.xml:91 msgid "" "The attribute <quote>use_fully_qualified_names</quote> must be enabled on " "all domains (NFSv4 clients expect a fully qualified name to be sent on the " "wire)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sss_rpcidmapd.5.xml:103 #, no-wrap msgid "" "[General]\n" "Verbosity = 2\n" "# domain must be synced between NFSv4 server and clients\n" "# Solaris/Illumos/AIX use \"localdomain\" as default!\n" "Domain = default\n" "\n" "[Mapping]\n" "Nobody-User = nfsnobody\n" "Nobody-Group = nfsnobody\n" "\n" "[Translation]\n" "Method = sss\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_rpcidmapd.5.xml:100 msgid "" "The following example shows a minimal idmapd.conf which makes use of the sss " "plugin. <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <refsect1><title> #: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:316 include/seealso.xml:2 msgid "SEE ALSO" msgstr "VIZ TAKÉ" #. type: Content of: <reference><refentry><refsect1><para> #: sss_rpcidmapd.5.xml:122 msgid "" "<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" "citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry>" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 msgid "sss_ssh_authorizedkeys" msgstr "" #. type: Content of: <reference><refentry><refmeta><manvolnum> #: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 msgid "1" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sss_ssh_authorizedkeys.1.xml:16 msgid "get OpenSSH authorized keys" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> #: sss_ssh_authorizedkeys.1.xml:21 msgid "" "<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " "<replaceable>options</replaceable> </arg> <arg " "choice='plain'><replaceable>USER</replaceable></arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_ssh_authorizedkeys.1.xml:32 msgid "" "<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " "<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " "format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " "<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" "citerefentry> for more information)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_ssh_authorizedkeys.1.xml:41 msgid "" "<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" "citerefentry> can be configured to use <command>sss_ssh_authorizedkeys</" "command> for public key user authentication if it is compiled with support " "for <quote>AuthorizedKeysCommand</quote> option. Please refer to the " "<citerefentry> <refentrytitle>sshd_config</refentrytitle> <manvolnum>5</" "manvolnum></citerefentry> man page for more details about this option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sss_ssh_authorizedkeys.1.xml:59 #, no-wrap msgid "" " AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" " AuthorizedKeysCommandUser nobody\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_ssh_authorizedkeys.1.xml:52 msgid "" "If <quote>AuthorizedKeysCommand</quote> is supported, " "<citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</manvolnum></" "citerefentry> can be configured to use it by putting the following " "directives in <citerefentry> <refentrytitle>sshd_config</refentrytitle> " "<manvolnum>5</manvolnum></citerefentry>: <placeholder " "type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sss_ssh_authorizedkeys.1.xml:65 msgid "KEYS FROM CERTIFICATES" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss_ssh_authorizedkeys.1.xml:67 msgid "" "In addition to the public SSH keys for user <replaceable>USER</replaceable> " "<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " "from the public key of a X.509 certificate as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss_ssh_authorizedkeys.1.xml:73 msgid "" "To enable this the <quote>ssh_use_certificate_keys</quote> option must be " "set to true (default) in the [ssh] section of <filename>sssd.conf</" "filename>. If the user entry contains certificates (see " "<quote>ldap_user_certificate</quote> in <citerefentry><refentrytitle>sssd-" "ldap</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) or " "there is a certificate in an override entry for the user (see " "<citerefentry><refentrytitle>sss_override</refentrytitle> <manvolnum>8</" "manvolnum></citerefentry> or <citerefentry><refentrytitle>sssd-ipa</" "refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details) and the " "certificate is valid SSSD will extract the public key from the certificate " "and convert it into the format expected by sshd." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss_ssh_authorizedkeys.1.xml:90 msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss_ssh_authorizedkeys.1.xml:96 msgid "" "can be used to control how the certificates are validated (see " "<citerefentry><refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" "manvolnum></citerefentry> for details)." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss_ssh_authorizedkeys.1.xml:101 msgid "" "The validation is the benefit of using X.509 certificates instead of SSH " "keys directly because e.g. it gives a better control of the lifetime of the " "keys. When the ssh client is configured to use the private keys from a " "Smartcard with the help of a PKCS#11 shared library (see " "<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" "citerefentry> for details) it might be irritating that authentication is " "still working even if the related X.509 certificate on the Smartcard is " "already expired because neither <command>ssh</command> nor <command>sshd</" "command> will look at the certificate at all." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss_ssh_authorizedkeys.1.xml:114 msgid "" "It has to be noted that the derived public SSH key can still be added to the " "<filename>authorized_keys</filename> file of the user to bypass the " "certificate validation if the <command>sshd</command> configuration permits " "this." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_ssh_authorizedkeys.1.xml:132 msgid "" "Search for user public keys in SSSD domain <replaceable>DOMAIN</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 msgid "EXIT STATUS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 msgid "" "In case of success, an exit value of 0 is returned. Otherwise, 1 is returned." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 msgid "sss_ssh_knownhostsproxy" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sss_ssh_knownhostsproxy.1.xml:16 msgid "get OpenSSH host keys" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> #: sss_ssh_knownhostsproxy.1.xml:21 msgid "" "<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " "<replaceable>options</replaceable> </arg> <arg " "choice='plain'><replaceable>HOST</replaceable></arg> <arg " "choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_ssh_knownhostsproxy.1.xml:33 msgid "" "<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " "host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " "known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " "of <citerefentry><refentrytitle>sshd</refentrytitle> <manvolnum>8</" "manvolnum></citerefentry> for more information) <filename>/var/lib/sss/" "pubconf/known_hosts</filename> and establishes the connection to the host." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_ssh_knownhostsproxy.1.xml:43 msgid "" "If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " "create the connection to the host instead of opening a socket." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sss_ssh_knownhostsproxy.1.xml:55 #, no-wrap msgid "" "ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" "GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_ssh_knownhostsproxy.1.xml:48 msgid "" "<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" "citerefentry> can be configured to use <command>sss_ssh_knownhostsproxy</" "command> for host key authentication by using the following directives for " "<citerefentry><refentrytitle>ssh</refentrytitle> <manvolnum>1</manvolnum></" "citerefentry> configuration: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_ssh_knownhostsproxy.1.xml:66 msgid "" "<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_ssh_knownhostsproxy.1.xml:71 msgid "" "Use port <replaceable>PORT</replaceable> to connect to the host. By " "default, port 22 is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_ssh_knownhostsproxy.1.xml:83 msgid "" "Search for host public keys in SSSD domain <replaceable>DOMAIN</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_ssh_knownhostsproxy.1.xml:89 msgid "<option>-k</option>,<option>--pubkey</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_ssh_knownhostsproxy.1.xml:93 msgid "" "Print the host ssh public keys for host <replaceable>HOST</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: idmap_sss.8.xml:10 idmap_sss.8.xml:15 msgid "idmap_sss" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: idmap_sss.8.xml:16 msgid "SSSD's idmap_sss Backend for Winbind" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: idmap_sss.8.xml:22 msgid "" "The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and SIDs. " "No database is required in this case as the mapping is done by SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: idmap_sss.8.xml:29 msgid "IDMAP OPTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: idmap_sss.8.xml:33 msgid "range = low - high" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: idmap_sss.8.xml:35 msgid "" "Defines the available matching UID and GID range for which the backend is " "authoritative." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: idmap_sss.8.xml:45 msgid "" "This example shows how to configure idmap_sss as the default mapping module." msgstr "" #. type: Content of: <reference><refentry><refsect1><programlisting> #: idmap_sss.8.xml:50 #, no-wrap msgid "" "[global]\n" "security = ads\n" "workgroup = <AD-DOMAIN-SHORTNAME>\n" "\n" "idmap config <AD-DOMAIN-SHORTNAME> : backend = sss\n" "idmap config <AD-DOMAIN-SHORTNAME> : range = 200000-2147483647\n" "\n" "idmap config * : backend = tdb\n" "idmap config * : range = 100000-199999\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: idmap_sss.8.xml:62 msgid "" "Please replace <AD-DOMAIN-SHORTNAME> with the NetBIOS domain name of " "the AD domain. If multiple AD domains should be used each domain needs an " "<literal>idmap config</literal> line with <literal>backend = sss</literal> " "and a line with a suitable <literal>range</literal>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: idmap_sss.8.xml:69 msgid "" "Since Winbind requires a writeable default backend and idmap_sss is read-" "only the example includes <literal>backend = tdb</literal> as default." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssctl.8.xml:10 sssctl.8.xml:15 msgid "sssctl" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sssctl.8.xml:16 msgid "SSSD control and status utility" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> #: sssctl.8.xml:21 msgid "" "<command>sssctl</command> <arg choice='plain'><replaceable>COMMAND</" "replaceable></arg> <arg choice='opt'> <replaceable>options</replaceable> </" "arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssctl.8.xml:32 msgid "" "<command>sssctl</command> provides a simple and unified way to obtain " "information about SSSD status, such as active server, auto-discovered " "servers, domains and cached objects. In addition, it can manage SSSD data " "files for troubleshooting in such a way that is safe to manipulate while " "SSSD is running." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssctl.8.xml:43 msgid "" "To list all available commands run <command>sssctl</command> without any " "parameters. To print help for selected command run <command>sssctl COMMAND --" "help</command>." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssd-files.5.xml:10 sssd-files.5.xml:16 msgid "sssd-files" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sssd-files.5.xml:17 msgid "SSSD files provider" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-files.5.xml:23 msgid "" "This manual page describes the files provider for <citerefentry> " "<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </" "citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " "FORMAT</quote> section of the <citerefentry> <refentrytitle>sssd.conf</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-files.5.xml:36 msgid "" "The files provider mirrors the content of the <citerefentry> " "<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> </" "citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " "provider is to make the users and groups traditionally only accessible with " "NSS interfaces also available through the SSSD interfaces such as " "<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-files.5.xml:55 msgid "" "Another reason is to provide efficient caching of local users and groups." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-files.5.xml:58 msgid "" "Please note that besides explicit domain definition the files provider can " "be configured also implicitly using 'enable_files_domain' option. See " "<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry> for details." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-files.5.xml:66 msgid "" "SSSD never handles resolution of user/group \"root\". Also resolution of UID/" "GID 0 is not handled by SSSD. Such requests are passed to next NSS module " "(usually files)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-files.5.xml:71 msgid "" "When SSSD is not running or responding, nss_sss returns the UNAVAIL code " "which causes the request to be passed to the next module." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-files.5.xml:95 msgid "passwd_files (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-files.5.xml:98 msgid "" "Comma-separated list of one or multiple password filenames to be read and " "enumerated by the files provider, inotify monitor watches will be set on " "each file to detect changes dynamically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-files.5.xml:104 msgid "Default: /etc/passwd" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-files.5.xml:110 msgid "group_files (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-files.5.xml:113 msgid "" "Comma-separated list of one or multiple group filenames to be read and " "enumerated by the files provider, inotify monitor watches will be set on " "each file to detect changes dynamically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-files.5.xml:119 msgid "Default: /etc/group" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-files.5.xml:125 msgid "fallback_to_nss (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-files.5.xml:128 msgid "" "While updating the internal data SSSD will return an error and let the " "client continue with the next NSS module. This helps to avoid delays when " "using the default system files <filename>/etc/passwd</filename> and " "<filename>/etc/group</filename> and the NSS configuration has 'sss' before " "'files' for the 'passwd' and 'group' maps." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-files.5.xml:138 msgid "" "If the files provider is configured to monitor other files it makes sense to " "set this option to 'False' to avoid inconsistent behavior because in general " "there would be no other NSS module which can be used as a fallback." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-files.5.xml:79 msgid "" "In addition to the options listed below, generic SSSD domain options can be " "set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " "of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry> manual page for details on the configuration of " "an SSSD domain. But the purpose of the files provider is to expose the same " "data as the UNIX files, just through the SSSD interfaces. Therefore not all " "generic domain options are supported. Likewise, some global options, such as " "overriding the shell in the <quote>nss</quote> section for all domains has " "no effect on the files domain unless explicitly specified per-domain. " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-files.5.xml:157 msgid "" "The following example assumes that SSSD is correctly configured and files is " "one of the domains in the <replaceable>[sssd]</replaceable> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-files.5.xml:163 #, no-wrap msgid "" "[domain/files]\n" "id_provider = files\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-files.5.xml:168 msgid "" "To leverage caching of local users and groups by SSSD nss_sss module must be " "listed before nss_files module in /etc/nsswitch.conf." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-files.5.xml:174 #, no-wrap msgid "" "passwd: sss files\n" "group: sss files\n" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 msgid "sssd-session-recording" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sssd-session-recording.5.xml:17 msgid "Configuring session recording with SSSD" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-session-recording.5.xml:23 msgid "" "This manual page describes how to configure <citerefentry> " "<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " "to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " "<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " "implement user session recording on text terminals. For a detailed " "configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " "section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-session-recording.5.xml:41 msgid "" "SSSD can be set up to enable recording of everything specific users see or " "type during their sessions on text terminals. E.g. when users log in on the " "console, or via SSH. SSSD itself doesn't record anything, but makes sure " "tlog-rec-session is started upon user login, so it can record according to " "its configuration." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-session-recording.5.xml:48 msgid "" "For users with session recording enabled, SSSD replaces the user shell with " "tlog-rec-session in NSS responses, and adds a variable specifying the " "original shell to the user environment, upon PAM session setup. This way " "tlog-rec-session can be started in place of the user shell, and know which " "actual shell to start, once it set up the recording." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-session-recording.5.xml:60 msgid "These options can be used to configure the session recording." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-session-recording.5.xml:178 msgid "" "The following snippet of sssd.conf enables session recording for users " "\"contractor1\" and \"contractor2\", and group \"students\"." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-session-recording.5.xml:183 #, no-wrap msgid "" "[session_recording]\n" "scope = some\n" "users = contractor1, contractor2\n" "groups = students\n" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 msgid "sssd-kcm" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sssd-kcm.8.xml:17 msgid "SSSD Kerberos Cache Manager" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:23 msgid "" "This manual page describes the configuration of the SSSD Kerberos Cache " "Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " "credential caches. It originates in the Heimdal Kerberos project, although " "the MIT Kerberos library also provides client side (more details on that " "below) support for the KCM credential cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:31 msgid "" "In a setup where Kerberos caches are managed by KCM, the Kerberos library " "(typically used through an application, like e.g., <citerefentry> " "<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> </" "citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " "being referred to as a <quote>\"KCM server\"</quote>. The client and server " "communicate over a UNIX socket." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:42 msgid "" "The KCM server keeps track of each credential caches's owner and performs " "access check control based on the UID and GID of the KCM client. The root " "user has access to all credential caches." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:47 msgid "The KCM credential cache has several interesting properties:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd-kcm.8.xml:51 msgid "" "since the process runs in userspace, it is subject to UID namespacing, " "unlike the kernel keyring" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd-kcm.8.xml:56 msgid "" "unlike the kernel keyring-based cache, which is shared between all " "containers, the KCM server is a separate process whose entry point is a UNIX " "socket" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd-kcm.8.xml:61 msgid "" "the SSSD implementation stores the ccaches in a database, typically located " "at <replaceable>/var/lib/sss/secrets</replaceable> allowing the ccaches to " "survive KCM server restarts or machine reboots." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:67 msgid "" "This allows the system to use a collection-aware credential cache, yet share " "the credential cache between some or no containers by bind-mounting the " "socket." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:72 msgid "" "The KCM default client idle timeout is 5 minutes, this allows more time for " "user interaction with command line tools such as kinit." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-kcm.8.xml:78 msgid "USING THE KCM CREDENTIAL CACHE" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-kcm.8.xml:88 #, no-wrap msgid "" "[libdefaults]\n" " default_ccache_name = KCM:\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:80 msgid "" "In order to use KCM credential cache, it must be selected as the default " "credential type in <citerefentry> <refentrytitle>krb5.conf</" "refentrytitle><manvolnum>5</manvolnum> </citerefentry>, The credentials " "cache name must be only <quote>KCM:</quote> without any template " "expansions. For example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:93 msgid "" "Next, make sure the Kerberos client libraries and the KCM server must agree " "on the UNIX socket path. By default, both use the same path <replaceable>/" "var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure the Kerberos " "library, change its <quote>kcm_socket</quote> option which is described in " "the <citerefentry> <refentrytitle>krb5.conf</refentrytitle><manvolnum>5</" "manvolnum> </citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-kcm.8.xml:115 #, no-wrap msgid "" "systemctl start sssd-kcm.socket\n" "systemctl enable sssd-kcm.socket\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:104 msgid "" "Finally, make sure the SSSD KCM server can be contacted. The KCM service is " "typically socket-activated by <citerefentry> <refentrytitle>systemd</" "refentrytitle> <manvolnum>1</manvolnum> </citerefentry>. Unlike other SSSD " "services, it cannot be started by adding the <quote>kcm</quote> string to " "the <quote>service</quote> directive. <placeholder type=\"programlisting\" " "id=\"0\"/> Please note your distribution may already configure the units for " "you." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-kcm.8.xml:124 msgid "THE CREDENTIAL CACHE STORAGE" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:126 msgid "" "The credential caches are stored in a database, much like SSSD caches user " "or group entries. The database is typically located at <quote>/var/lib/sss/" "secrets</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-kcm.8.xml:133 msgid "OBTAINING DEBUG LOGS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-kcm.8.xml:144 #, no-wrap msgid "" "[kcm]\n" "debug_level = 10\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-kcm.8.xml:149 sssd-kcm.8.xml:211 #, no-wrap msgid "" "systemctl restart sssd-kcm.service\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:135 msgid "" "The sssd-kcm service is typically socket-activated <citerefentry> " "<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> </" "citerefentry>. To generate debug logs, add the following either to the " "<filename>/etc/sssd/sssd.conf</filename> file directly or as a configuration " "snippet to <filename>/etc/sssd/conf.d/</filename> directory: <placeholder " "type=\"programlisting\" id=\"0\"/> Then, restart the sssd-kcm service: " "<placeholder type=\"programlisting\" id=\"1\"/> Finally, run whatever use-" "case doesn't work for you. The KCM logs will be generated at <filename>/var/" "log/sssd/sssd_kcm.log</filename>. It is recommended to disable the debug " "logs when you no longer need the debugging to be enabled as the sssd-kcm " "service can generate quite a large amount of debugging information." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:159 msgid "" "Please note that configuration snippets are, at the moment, only processed " "if the main configuration file at <filename>/etc/sssd/sssd.conf</filename> " "exists at all." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-kcm.8.xml:166 msgid "RENEWALS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-kcm.8.xml:174 #, no-wrap msgid "" "tgt_renewal = true\n" "krb5_renew_interval = 60m\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:168 msgid "" "The sssd-kcm service can be configured to attempt TGT renewal for renewable " "TGTs stored in the KCM ccache. Renewals are only attempted when half of the " "ticket lifetime has been reached. KCM Renewals are configured when the " "following options are set in the [kcm] section: <placeholder " "type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:179 msgid "" "SSSD can also inherit krb5 options for renewals from an existing domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><programlisting> #: sssd-kcm.8.xml:183 #, no-wrap msgid "" "tgt_renewal = true\n" "tgt_renewal_inherit = domain-name\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-kcm.8.xml:191 #, no-wrap msgid "" "krb5_renew_interval\n" "krb5_renewable_lifetime\n" "krb5_lifetime\n" "krb5_validate\n" "krb5_canonicalize\n" "krb5_auth_timeout\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:187 msgid "" "The following krb5 options can be configured in the [kcm] section to control " "renewal behavior, these options are described in detail below <placeholder " "type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:204 msgid "" "The KCM service is configured in the <quote>kcm</quote> section of the sssd." "conf file. Please note that because the KCM service is typically socket-" "activated, it is enough to just restart the <quote>sssd-kcm</quote> service " "after changing options in the <quote>kcm</quote> section of sssd.conf: " "<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:215 msgid "" "The KCM service is configured in the <quote>kcm</quote> For a detailed " "syntax reference, refer to the <quote>FILE FORMAT</quote> section of the " "<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:223 msgid "" "The generic SSSD service options such as <quote>debug_level</quote> or " "<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " "the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry> manual page for a complete list. In addition, " "there are some KCM-specific options as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd-kcm.8.xml:234 msgid "socket_path (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-kcm.8.xml:237 msgid "The socket the KCM service will listen on." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-kcm.8.xml:240 msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-kcm.8.xml:243 msgid "" "<phrase condition=\"have_systemd\"> Note: on platforms where systemd is " "supported, the socket path is overwritten by the one defined in the sssd-kcm." "socket unit file. </phrase>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd-kcm.8.xml:252 msgid "max_ccaches (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-kcm.8.xml:255 msgid "How many credential caches does the KCM database allow for all users." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-kcm.8.xml:259 msgid "Default: 0 (unlimited, only the per-UID quota is enforced)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd-kcm.8.xml:264 msgid "max_uid_ccaches (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-kcm.8.xml:267 msgid "" "How many credential caches does the KCM database allow per UID. This is " "equivalent to <quote>with how many principals you can kinit</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-kcm.8.xml:272 msgid "Default: 64" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd-kcm.8.xml:277 msgid "max_ccache_size (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-kcm.8.xml:280 msgid "" "How big can a credential cache be per ccache. Each service ticket accounts " "into this quota." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-kcm.8.xml:284 msgid "Default: 65536" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd-kcm.8.xml:289 msgid "tgt_renewal (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-kcm.8.xml:292 msgid "Enables TGT renewals functionality." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-kcm.8.xml:295 msgid "Default: False (Automatic renewals disabled)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd-kcm.8.xml:300 msgid "tgt_renewal_inherit (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-kcm.8.xml:303 msgid "Domain to inherit krb5_* options from, for use with TGT renewals." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-kcm.8.xml:307 #, fuzzy #| msgid "Default: 200000" msgid "Default: NULL" msgstr "Výchozí: 200000" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:318 msgid "" "<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" "citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" "refentrytitle><manvolnum>5</manvolnum> </citerefentry>," msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 msgid "sssd-systemtap" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sssd-systemtap.5.xml:17 msgid "SSSD systemtap information" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-systemtap.5.xml:23 msgid "" "This manual page provides information about the systemtap functionality in " "<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " "</citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-systemtap.5.xml:32 msgid "" "SystemTap Probe points have been added into various locations in SSSD code " "to assist in troubleshooting and analyzing performance related issues." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd-systemtap.5.xml:40 msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd-systemtap.5.xml:46 msgid "" "Probes and miscellaneous functions are defined in /usr/share/systemtap/" "tapset/sssd.stp and /usr/share/systemtap/tapset/sssd_functions.stp " "respectively." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-systemtap.5.xml:57 msgid "PROBE POINTS" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:367 msgid "" "The information below lists the probe points and arguments available in the " "following format:" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:64 msgid "probe $name" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:67 msgid "Description of probe point" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> #: sssd-systemtap.5.xml:70 #, no-wrap msgid "" "variable1:datatype\n" "variable2:datatype\n" "variable3:datatype\n" "...\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd-systemtap.5.xml:80 msgid "Database Transaction Probes" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:84 msgid "probe sssd_transaction_start" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:87 msgid "" "Start of a sysdb transaction, probes the sysdb_transaction_start() function." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> #: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 #: sssd-systemtap.5.xml:131 #, no-wrap msgid "" "nesting:integer\n" "probestr:string\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:97 msgid "probe sssd_transaction_cancel" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:100 msgid "" "Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " "function." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:111 msgid "probe sssd_transaction_commit_before" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:114 msgid "Probes the sysdb_transaction_commit_before() function." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:124 msgid "probe sssd_transaction_commit_after" msgstr "vyzkoušet sssd_transaction_commit_after" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:127 msgid "Probes the sysdb_transaction_commit_after() function." msgstr "Vyzkouší funkci sysdb_transaction_commit_after()." #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd-systemtap.5.xml:141 msgid "LDAP Search Probes" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:145 msgid "probe sdap_search_send" msgstr "vyzkouší sdap_search_send" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:148 msgid "Probes the sdap_get_generic_ext_send() function." msgstr "Vyzkouší funkci sdap_get_generic_ext_send()." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> #: sssd-systemtap.5.xml:152 #, no-wrap msgid "" "base:string\n" "scope:integer\n" "filter:string\n" "attrs:string\n" "probestr:string\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:161 msgid "probe sdap_search_recv" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:164 msgid "Probes the sdap_get_generic_ext_recv() function." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> #: sssd-systemtap.5.xml:168 sssd-systemtap.5.xml:222 #, no-wrap msgid "" "base:string\n" "scope:integer\n" "filter:string\n" "probestr:string\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:176 msgid "probe sdap_parse_entry" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:179 msgid "" "Probes the sdap_parse_entry() function. It is called repeatedly with every " "received attribute." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> #: sssd-systemtap.5.xml:184 #, no-wrap msgid "" "attr:string\n" "value:string\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:190 msgid "probe sdap_parse_entry_done" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:193 msgid "" "Probes the sdap_parse_entry() function. It is called when parsing of " "received object is finished." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:201 msgid "probe sdap_deref_send" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:204 msgid "Probes the sdap_deref_search_send() function." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> #: sssd-systemtap.5.xml:208 #, no-wrap msgid "" "base_dn:string\n" "deref_attr:string\n" "probestr:string\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:215 msgid "probe sdap_deref_recv" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:218 msgid "Probes the sdap_deref_search_recv() function." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd-systemtap.5.xml:234 msgid "LDAP Account Request Probes" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:238 msgid "probe sdap_acct_req_send" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:241 msgid "Probes the sdap_acct_req_send() function." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> #: sssd-systemtap.5.xml:245 sssd-systemtap.5.xml:260 #, no-wrap msgid "" "entry_type:int\n" "filter_type:int\n" "filter_value:string\n" "extra_value:string\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:253 msgid "probe sdap_acct_req_recv" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:256 msgid "Probes the sdap_acct_req_recv() function." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd-systemtap.5.xml:272 msgid "LDAP User Search Probes" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:276 msgid "probe sdap_search_user_send" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:279 msgid "Probes the sdap_search_user_send() function." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> #: sssd-systemtap.5.xml:283 sssd-systemtap.5.xml:295 sssd-systemtap.5.xml:307 #: sssd-systemtap.5.xml:319 #, no-wrap msgid "" "filter:string\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:288 msgid "probe sdap_search_user_recv" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:291 msgid "Probes the sdap_search_user_recv() function." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:300 msgid "probe sdap_search_user_save_begin" msgstr "probe sdap_search_user_save_begin" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:303 msgid "Probes the sdap_search_user_save_begin() function." msgstr "Zkouší funkci sdap_search_user_save_begin()." #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:312 msgid "probe sdap_search_user_save_end" msgstr "vyzkoušet sdap_search_user_save_end" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:315 msgid "Probes the sdap_search_user_save_end() function." msgstr "Vyzkouší funkci sdap_search_user_save_end()." #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd-systemtap.5.xml:328 msgid "Data Provider Request Probes" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:332 msgid "probe dp_req_send" msgstr "probe dp_req_send" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:335 msgid "A Data Provider request is submitted." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> #: sssd-systemtap.5.xml:338 #, no-wrap msgid "" "dp_req_domain:string\n" "dp_req_name:string\n" "dp_req_target:int\n" "dp_req_method:int\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:346 msgid "probe dp_req_done" msgstr "probe dp_req_done" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:349 msgid "A Data Provider request is completed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> #: sssd-systemtap.5.xml:352 #, no-wrap msgid "" "dp_req_name:string\n" "dp_req_target:int\n" "dp_req_method:int\n" "dp_ret:int\n" "dp_errorstr:string\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd-systemtap.5.xml:365 msgid "MISCELLANEOUS FUNCTIONS" msgstr "RŮZNÉ FUNKCE" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:372 msgid "function acct_req_desc(entry_type)" msgstr "function acct_req_desc(entry_type)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:375 msgid "Convert entry_type to string and return string" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:380 msgid "" "function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " "filter_value, extra_value)" msgstr "" "funkce sssd_acct_req_probestr(fc_name, entry_type, filter_type, " "filter_value, extra_value)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:384 msgid "Create probe string based on filter type" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:389 msgid "function dp_target_str(target)" msgstr "funkce dp_target_str(target)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:392 msgid "Convert target to string and return string" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:397 msgid "function dp_method_str(target)" msgstr "funkce dp_method_str(target)" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:400 msgid "Convert method to string and return string" msgstr "Převést metodu na řetězec a vrátit řetězec" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-systemtap.5.xml:410 msgid "SAMPLE SYSTEMTAP SCRIPTS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-systemtap.5.xml:412 msgid "" "Start the SystemTap script (<command>stap /usr/share/sssd/systemtap/<" "script_name>.stp</command>), then perform an identity operation and the " "script will collect information from probes." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-systemtap.5.xml:418 msgid "Provided SystemTap scripts are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:422 msgid "dp_request.stp" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:425 msgid "Monitoring of data provider request performance." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:430 msgid "id_perf.stp" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:433 msgid "Monitoring of <command>id</command> command performance." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:439 msgid "ldap_perf.stp" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:442 msgid "Monitoring of LDAP queries." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:447 msgid "nested_group_perf.stp" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:450 msgid "Performance of nested groups resolving." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssd-ldap-attributes.5.xml:10 sssd-ldap-attributes.5.xml:16 msgid "sssd-ldap-attributes" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sssd-ldap-attributes.5.xml:17 msgid "SSSD LDAP Provider: Mapping Attributes" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ldap-attributes.5.xml:23 msgid "" "This manual page describes the mapping attributes of SSSD LDAP provider " "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry>. Refer to the <citerefentry> <refentrytitle>sssd-" "ldap</refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page " "for full details about SSSD LDAP provider configuration options." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap-attributes.5.xml:38 msgid "USER ATTRIBUTES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:42 msgid "ldap_user_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:45 msgid "The object class of a user entry in LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:48 msgid "Default: posixAccount" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:54 msgid "ldap_user_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:57 msgid "The LDAP attribute that corresponds to the user's login name." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:61 msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:68 msgid "ldap_user_uid_number (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:71 msgid "The LDAP attribute that corresponds to the user's id." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:75 msgid "Default: uidNumber" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:81 msgid "ldap_user_gid_number (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:84 msgid "The LDAP attribute that corresponds to the user's primary group id." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:88 sssd-ldap-attributes.5.xml:700 msgid "Default: gidNumber" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:94 msgid "ldap_user_primary_group (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:97 msgid "" "Active Directory primary group attribute for ID-mapping. Note that this " "attribute should only be set manually if you are running the <quote>ldap</" "quote> provider with ID mapping." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:103 msgid "Default: unset (LDAP), primaryGroupID (AD)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:109 msgid "ldap_user_gecos (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:112 msgid "The LDAP attribute that corresponds to the user's gecos field." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:116 msgid "Default: gecos" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:122 msgid "ldap_user_home_directory (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:125 msgid "The LDAP attribute that contains the name of the user's home directory." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:129 msgid "Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:135 msgid "ldap_user_shell (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:138 msgid "The LDAP attribute that contains the path to the user's default shell." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:142 msgid "Default: loginShell" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:148 msgid "ldap_user_uuid (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:151 msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:155 sssd-ldap-attributes.5.xml:726 msgid "" "Default: not set in the general case, objectGUID for AD and ipaUniqueID for " "IPA" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:162 msgid "ldap_user_objectsid (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:165 msgid "" "The LDAP attribute that contains the objectSID of an LDAP user object. This " "is usually only necessary for ActiveDirectory servers." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:170 sssd-ldap-attributes.5.xml:741 msgid "Default: objectSid for ActiveDirectory, not set for other servers." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:177 msgid "ldap_user_modify_timestamp (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:180 sssd-ldap-attributes.5.xml:751 #: sssd-ldap-attributes.5.xml:874 msgid "" "The LDAP attribute that contains timestamp of the last modification of the " "parent object." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:184 sssd-ldap-attributes.5.xml:755 #: sssd-ldap-attributes.5.xml:881 msgid "Default: modifyTimestamp" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:190 msgid "ldap_user_shadow_last_change (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:193 msgid "" "When using ldap_pwd_policy=shadow, this parameter contains the name of an " "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (date of " "the last password change)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:203 msgid "Default: shadowLastChange" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:209 msgid "ldap_user_shadow_min (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:212 msgid "" "When using ldap_pwd_policy=shadow, this parameter contains the name of an " "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (minimum " "password age)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:221 msgid "Default: shadowMin" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:227 msgid "ldap_user_shadow_max (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:230 msgid "" "When using ldap_pwd_policy=shadow, this parameter contains the name of an " "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart (maximum " "password age)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:239 msgid "Default: shadowMax" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:245 msgid "ldap_user_shadow_warning (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:248 msgid "" "When using ldap_pwd_policy=shadow, this parameter contains the name of an " "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " "(password warning period)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:258 msgid "Default: shadowWarning" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:264 msgid "ldap_user_shadow_inactive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:267 msgid "" "When using ldap_pwd_policy=shadow, this parameter contains the name of an " "LDAP attribute corresponding to its <citerefentry> <refentrytitle>shadow</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> counterpart " "(password inactivity period)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:277 msgid "Default: shadowInactive" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:283 msgid "ldap_user_shadow_expire (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:286 msgid "" "When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " "parameter contains the name of an LDAP attribute corresponding to its " "<citerefentry> <refentrytitle>shadow</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry> counterpart (account expiration date)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:296 msgid "Default: shadowExpire" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:302 msgid "ldap_user_krb_last_pwd_change (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:305 msgid "" "When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " "an LDAP attribute storing the date and time of last password change in " "kerberos." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:311 msgid "Default: krbLastPwdChange" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:317 msgid "ldap_user_krb_password_expiration (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:320 msgid "" "When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " "an LDAP attribute storing the date and time when current password expires." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:326 msgid "Default: krbPasswordExpiration" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:332 msgid "ldap_user_ad_account_expires (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:335 msgid "" "When using ldap_account_expire_policy=ad, this parameter contains the name " "of an LDAP attribute storing the expiration time of the account." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:340 msgid "Default: accountExpires" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:346 msgid "ldap_user_ad_user_account_control (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:349 msgid "" "When using ldap_account_expire_policy=ad, this parameter contains the name " "of an LDAP attribute storing the user account control bit field." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:354 msgid "Default: userAccountControl" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:360 msgid "ldap_ns_account_lock (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:363 msgid "" "When using ldap_account_expire_policy=rhds or equivalent, this parameter " "determines if access is allowed or not." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:368 msgid "Default: nsAccountLock" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:374 msgid "ldap_user_nds_login_disabled (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:377 msgid "" "When using ldap_account_expire_policy=nds, this attribute determines if " "access is allowed or not." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:381 sssd-ldap-attributes.5.xml:395 msgid "Default: loginDisabled" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:387 msgid "ldap_user_nds_login_expiration_time (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:390 msgid "" "When using ldap_account_expire_policy=nds, this attribute determines until " "which date access is granted." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:401 msgid "ldap_user_nds_login_allowed_time_map (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:404 msgid "" "When using ldap_account_expire_policy=nds, this attribute determines the " "hours of a day in a week when access is granted." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:409 msgid "Default: loginAllowedTimeMap" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:415 msgid "ldap_user_principal (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:418 msgid "" "The LDAP attribute that contains the user's Kerberos User Principal Name " "(UPN)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:422 msgid "Default: krbPrincipalName" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:428 msgid "ldap_user_extra_attrs (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:431 msgid "" "Comma-separated list of LDAP attributes that SSSD would fetch along with the " "usual set of user attributes." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:436 msgid "" "The list can either contain LDAP attribute names only, or colon-separated " "tuples of SSSD cache attribute name and LDAP attribute name. In case only " "LDAP attribute name is specified, the attribute is saved to the cache " "verbatim. Using a custom SSSD attribute name might be required by " "environments that configure several SSSD domains with different LDAP schemas." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:446 msgid "" "Please note that several attribute names are reserved by SSSD, notably the " "<quote>name</quote> attribute. SSSD would report an error if any of the " "reserved attribute names is used as an extra attribute name." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:456 msgid "ldap_user_extra_attrs = telephoneNumber" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:459 msgid "" "Save the <quote>telephoneNumber</quote> attribute from LDAP as " "<quote>telephoneNumber</quote> to the cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:463 msgid "ldap_user_extra_attrs = phone:telephoneNumber" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:466 msgid "" "Save the <quote>telephoneNumber</quote> attribute from LDAP as <quote>phone</" "quote> to the cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:476 msgid "ldap_user_ssh_public_key (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:479 msgid "The LDAP attribute that contains the user's SSH public keys." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:483 sssd-ldap-attributes.5.xml:965 msgid "Default: sshPublicKey" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:489 msgid "ldap_user_fullname (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:492 msgid "The LDAP attribute that corresponds to the user's full name." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:502 msgid "ldap_user_member_of (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:505 msgid "The LDAP attribute that lists the user's group memberships." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:509 sssd-ldap-attributes.5.xml:952 msgid "Default: memberOf" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:515 msgid "ldap_user_authorized_service (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:518 msgid "" "If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " "use the presence of the authorizedService attribute in the user's LDAP entry " "to determine access privilege." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:525 msgid "" "An explicit deny (!svc) is resolved first. Second, SSSD searches for " "explicit allow (svc) and finally for allow_all (*)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:530 msgid "" "Please note that the ldap_access_order configuration option <emphasis>must</" "emphasis> include <quote>authorized_service</quote> in order for the " "ldap_user_authorized_service option to work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:537 msgid "" "Some distributions (such as Fedora-29+ or RHEL-8) always include the " "<quote>systemd-user</quote> PAM service as part of the login process. " "Therefore when using service-based access control, the <quote>systemd-user</" "quote> service might need to be added to the list of allowed services." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:545 msgid "Default: authorizedService" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:551 msgid "ldap_user_authorized_host (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:554 msgid "" "If access_provider=ldap and ldap_access_order=host, SSSD will use the " "presence of the host attribute in the user's LDAP entry to determine access " "privilege." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:560 msgid "" "An explicit deny (!host) is resolved first. Second, SSSD searches for " "explicit allow (host) and finally for allow_all (*)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:565 msgid "" "Please note that the ldap_access_order configuration option <emphasis>must</" "emphasis> include <quote>host</quote> in order for the " "ldap_user_authorized_host option to work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:572 msgid "Default: host" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:578 msgid "ldap_user_authorized_rhost (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:581 msgid "" "If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " "presence of the rhost attribute in the user's LDAP entry to determine access " "privilege. Similarly to host verification process." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:588 msgid "" "An explicit deny (!rhost) is resolved first. Second, SSSD searches for " "explicit allow (rhost) and finally for allow_all (*)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:593 msgid "" "Please note that the ldap_access_order configuration option <emphasis>must</" "emphasis> include <quote>rhost</quote> in order for the " "ldap_user_authorized_rhost option to work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:600 msgid "Default: rhost" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:606 msgid "ldap_user_certificate (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:609 msgid "Name of the LDAP attribute containing the X509 certificate of the user." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:613 msgid "Default: userCertificate;binary" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:619 msgid "ldap_user_email (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:622 msgid "Name of the LDAP attribute containing the email address of the user." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:626 msgid "" "Note: If an email address of a user conflicts with an email address or fully " "qualified name of another user, then SSSD will not be able to serve those " "users properly. This option allows users to login by (1) username, and (2) e-" "mail address. If for some reason several users need to share the same email " "address then set this option to a nonexistent attribute name in order to " "disable user lookup/login by email." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:637 msgid "Default: mail" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:642 #, fuzzy #| msgid "simple_deny_users (string)" msgid "ldap_user_passkey (string)" msgstr "simple_deny_users (řetězec)" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:645 #, fuzzy #| msgid "" #| "The LDAP attribute that contains the names of the netgroup's members." msgid "" "Name of the LDAP attribute containing the passkey mapping data of the user." msgstr "LDAP atribut, který obsahuje jména členů síťové skupiny." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:649 msgid "Default: passkey (LDAP), ipaPassKey (IPA), altSecurityIdentities (AD)" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap-attributes.5.xml:659 msgid "GROUP ATTRIBUTES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:663 msgid "ldap_group_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:666 msgid "The object class of a group entry in LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:669 msgid "Default: posixGroup" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:675 msgid "ldap_group_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:678 msgid "" "The LDAP attribute that corresponds to the group name. In an environment " "with nested groups, this value must be an LDAP attribute which has a unique " "name for every group. This requirement includes non-POSIX groups in the tree " "of nested groups." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:686 msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:693 msgid "ldap_group_gid_number (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:696 msgid "The LDAP attribute that corresponds to the group's id." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:706 msgid "ldap_group_member (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:709 msgid "The LDAP attribute that contains the names of the group's members." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:713 msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:719 msgid "ldap_group_uuid (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:722 msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:733 msgid "ldap_group_objectsid (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:736 msgid "" "The LDAP attribute that contains the objectSID of an LDAP group object. This " "is usually only necessary for ActiveDirectory servers." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:748 msgid "ldap_group_modify_timestamp (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:761 msgid "ldap_group_type (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:764 msgid "" "The LDAP attribute that contains an integer value indicating the type of the " "group and maybe other flags." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:769 msgid "" "This attribute is currently only used by the AD provider to determine if a " "group is a domain local groups and has to be filtered out for trusted " "domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:775 msgid "Default: groupType in the AD provider, otherwise not set" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:782 msgid "ldap_group_external_member (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:785 msgid "" "The LDAP attribute that references group members that are defined in an " "external domain. At the moment, only IPA's external members are supported." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:791 msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap-attributes.5.xml:801 msgid "NETGROUP ATTRIBUTES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:805 msgid "ldap_netgroup_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:808 msgid "The object class of a netgroup entry in LDAP." msgstr "Třída objektu položky dané netgroup v LDAP." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:811 msgid "In IPA provider, ipa_netgroup_object_class should be used instead." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:815 msgid "Default: nisNetgroup" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:821 msgid "ldap_netgroup_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:824 msgid "The LDAP attribute that corresponds to the netgroup name." msgstr "LDAP atribut, který odpovídá názvu netgroup." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:828 msgid "In IPA provider, ipa_netgroup_name should be used instead." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:838 msgid "ldap_netgroup_member (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:841 msgid "The LDAP attribute that contains the names of the netgroup's members." msgstr "LDAP atribut, který obsahuje jména členů síťové skupiny." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:845 msgid "In IPA provider, ipa_netgroup_member should be used instead." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:849 msgid "Default: memberNisNetgroup" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:855 msgid "ldap_netgroup_triple (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:858 msgid "" "The LDAP attribute that contains the (host, user, domain) netgroup triples." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:862 sssd-ldap-attributes.5.xml:878 msgid "This option is not available in IPA provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:865 msgid "Default: nisNetgroupTriple" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:871 msgid "ldap_netgroup_modify_timestamp (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap-attributes.5.xml:890 msgid "HOST ATTRIBUTES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:894 msgid "ldap_host_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:897 msgid "The object class of a host entry in LDAP." msgstr "Třída objektu položky hostitele v LDAP." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:900 sssd-ldap-attributes.5.xml:997 msgid "Default: ipService" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:906 msgid "ldap_host_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:909 sssd-ldap-attributes.5.xml:935 msgid "The LDAP attribute that corresponds to the host's name." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:919 msgid "ldap_host_fqdn (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:922 msgid "" "The LDAP attribute that corresponds to the host's fully-qualified domain " "name." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:926 msgid "Default: fqdn" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:932 msgid "ldap_host_serverhostname (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:939 msgid "Default: serverHostname" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:945 msgid "ldap_host_member_of (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:948 msgid "The LDAP attribute that lists the host's group memberships." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:958 msgid "ldap_host_ssh_public_key (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:961 msgid "The LDAP attribute that contains the host's SSH public keys." msgstr "LDAP atribut, který obsahuje veřejné části SSH klíčů hostitele." #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:971 msgid "ldap_host_uuid (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:974 msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap-attributes.5.xml:987 msgid "SERVICE ATTRIBUTES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:991 msgid "ldap_service_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:994 msgid "The object class of a service entry in LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1003 msgid "ldap_service_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1006 msgid "" "The LDAP attribute that contains the name of service attributes and their " "aliases." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1016 msgid "ldap_service_port (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1019 msgid "The LDAP attribute that contains the port managed by this service." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1023 msgid "Default: ipServicePort" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1029 msgid "ldap_service_proto (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1032 msgid "" "The LDAP attribute that contains the protocols understood by this service." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1036 msgid "Default: ipServiceProtocol" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap-attributes.5.xml:1045 msgid "SUDO ATTRIBUTES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1049 msgid "ldap_sudorule_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1052 msgid "The object class of a sudo rule entry in LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1055 msgid "Default: sudoRole" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1061 msgid "ldap_sudorule_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1064 msgid "The LDAP attribute that corresponds to the sudo rule name." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1074 msgid "ldap_sudorule_command (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1077 msgid "The LDAP attribute that corresponds to the command name." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1081 msgid "Default: sudoCommand" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1087 msgid "ldap_sudorule_host (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1090 msgid "" "The LDAP attribute that corresponds to the host name (or host IP address, " "host IP network, or host netgroup)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1095 msgid "Default: sudoHost" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1101 msgid "ldap_sudorule_user (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1104 msgid "" "The LDAP attribute that corresponds to the user name (or UID, group name or " "user's netgroup)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1108 msgid "Default: sudoUser" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1114 msgid "ldap_sudorule_option (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1117 msgid "The LDAP attribute that corresponds to the sudo options." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1121 msgid "Default: sudoOption" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1127 msgid "ldap_sudorule_runasuser (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1130 msgid "" "The LDAP attribute that corresponds to the user name that commands may be " "run as." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1134 msgid "Default: sudoRunAsUser" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1140 msgid "ldap_sudorule_runasgroup (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1143 msgid "" "The LDAP attribute that corresponds to the group name or group GID that " "commands may be run as." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1147 msgid "Default: sudoRunAsGroup" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1153 msgid "ldap_sudorule_notbefore (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1156 msgid "" "The LDAP attribute that corresponds to the start date/time for when the sudo " "rule is valid." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1160 msgid "Default: sudoNotBefore" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1166 msgid "ldap_sudorule_notafter (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1169 msgid "" "The LDAP attribute that corresponds to the expiration date/time, after which " "the sudo rule will no longer be valid." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1174 msgid "Default: sudoNotAfter" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1180 msgid "ldap_sudorule_order (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1183 msgid "The LDAP attribute that corresponds to the ordering index of the rule." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1187 msgid "Default: sudoOrder" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap-attributes.5.xml:1196 msgid "AUTOFS ATTRIBUTES" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap-attributes.5.xml:1203 msgid "IP HOST ATTRIBUTES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1207 msgid "ldap_iphost_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1210 msgid "The object class of an iphost entry in LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1213 msgid "Default: ipHost" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1219 msgid "ldap_iphost_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1222 msgid "" "The LDAP attribute that contains the name of the IP host attributes and " "their aliases." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1232 msgid "ldap_iphost_number (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1235 msgid "The LDAP attribute that contains the IP host address." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1239 msgid "Default: ipHostNumber" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap-attributes.5.xml:1248 msgid "IP NETWORK ATTRIBUTES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1252 msgid "ldap_ipnetwork_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1255 msgid "The object class of an ipnetwork entry in LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1258 msgid "Default: ipNetwork" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1264 msgid "ldap_ipnetwork_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1267 msgid "" "The LDAP attribute that contains the name of the IP network attributes and " "their aliases." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1277 msgid "ldap_ipnetwork_number (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1280 msgid "The LDAP attribute that contains the IP network address." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1284 msgid "Default: ipNetworkNumber" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssd_krb5_localauth_plugin.8.xml:10 sssd_krb5_localauth_plugin.8.xml:15 msgid "sssd_krb5_localauth_plugin" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sssd_krb5_localauth_plugin.8.xml:16 msgid "Kerberos local authorization plugin" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd_krb5_localauth_plugin.8.xml:22 msgid "" "The Kerberos local authorization plugin <command>sssd_krb5_localauth_plugin</" "command> is used by libkrb5 to either find the local name for a given " "Kerberos principal or to check if a given local name and a given Kerberos " "principal relate to each other." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd_krb5_localauth_plugin.8.xml:29 msgid "" "SSSD handles the local names for users from a remote source and can read the " "Kerberos user principal name from the remote source as well. With this " "information SSSD can easily handle the mappings mentioned above even if the " "local name and the Kerberos principal differ considerably." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd_krb5_localauth_plugin.8.xml:36 msgid "" "Additionally with the information read from the remote source SSSD can help " "to prevent unexpected or unwanted mappings in case the user part of the " "Kerberos principal accidentally corresponds to a local name of a different " "user. By default libkrb5 might just strip the realm part of the Kerberos " "principal to get the local name which would lead to wrong mappings in this " "case." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd_krb5_localauth_plugin.8.xml:46 msgid "CONFIGURATION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd_krb5_localauth_plugin.8.xml:56 #, no-wrap msgid "" "[plugins]\n" " localauth = {\n" " module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so\n" " }\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd_krb5_localauth_plugin.8.xml:48 msgid "" "The Kerberos local authorization plugin must be enabled explicitly in the " "Kerberos configuration, see <citerefentry> <refentrytitle>krb5.conf</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>. SSSD will create a " "config snippet with the content like e.g. <placeholder " "type=\"programlisting\" id=\"0\"/> automatically in the SSSD's public " "Kerberos configuration snippet directory. If this directory is included in " "the local Kerberos configuration the plugin will be enabled automatically." msgstr "" #. type: Content of: <variablelist><varlistentry><term> #: include/autofs_attributes.xml:3 msgid "ldap_autofs_map_object_class (string)" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/autofs_attributes.xml:6 msgid "The object class of an automount map entry in LDAP." msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/autofs_attributes.xml:9 msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" msgstr "" #. type: Content of: <variablelist><varlistentry><term> #: include/autofs_attributes.xml:16 msgid "ldap_autofs_map_name (string)" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/autofs_attributes.xml:19 msgid "The name of an automount map entry in LDAP." msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/autofs_attributes.xml:22 msgid "" "Default: nisMapName (rfc2307, autofs_provider=ad), otherwise automountMapName" msgstr "" #. type: Content of: <variablelist><varlistentry><term> #: include/autofs_attributes.xml:29 msgid "ldap_autofs_entry_object_class (string)" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/autofs_attributes.xml:32 msgid "" "The object class of an automount entry in LDAP. The entry usually " "corresponds to a mount point." msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/autofs_attributes.xml:37 msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" msgstr "" #. type: Content of: <variablelist><varlistentry><term> #: include/autofs_attributes.xml:44 msgid "ldap_autofs_entry_key (string)" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/autofs_attributes.xml:47 include/autofs_attributes.xml:61 msgid "" "The key of an automount entry in LDAP. The entry usually corresponds to a " "mount point." msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/autofs_attributes.xml:51 msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" msgstr "" #. type: Content of: <variablelist><varlistentry><term> #: include/autofs_attributes.xml:58 msgid "ldap_autofs_entry_value (string)" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/autofs_attributes.xml:65 msgid "" "Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " "automountInformation" msgstr "" #. type: Content of: <refsect1><title> #: include/service_discovery.xml:2 msgid "SERVICE DISCOVERY" msgstr "OBJEVOVÁNÍ SLUŽBY" #. type: Content of: <refsect1><para> #: include/service_discovery.xml:4 msgid "" "The service discovery feature allows back ends to automatically find the " "appropriate servers to connect to using a special DNS query. This feature is " "not supported for backup servers." msgstr "" #. type: Content of: <refsect1><refsect2><title> #: include/service_discovery.xml:9 include/ldap_id_mapping.xml:99 msgid "Configuration" msgstr "Nastavení" #. type: Content of: <refsect1><refsect2><para> #: include/service_discovery.xml:11 msgid "" "If no servers are specified, the back end automatically uses service " "discovery to try to find a server. Optionally, the user may choose to use " "both fixed server addresses and service discovery by inserting a special " "keyword, <quote>_srv_</quote>, in the list of servers. The order of " "preference is maintained. This feature is useful if, for example, the user " "prefers to use service discovery whenever possible, and fall back to a " "specific server when no servers can be discovered using DNS." msgstr "" #. type: Content of: <refsect1><refsect2><title> #: include/service_discovery.xml:23 msgid "The domain name" msgstr "Název domény" #. type: Content of: <refsect1><refsect2><para> #: include/service_discovery.xml:25 msgid "" "Please refer to the <quote>dns_discovery_domain</quote> parameter in the " "<citerefentry> <refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry> manual page for more details." msgstr "" #. type: Content of: <refsect1><refsect2><title> #: include/service_discovery.xml:35 msgid "The protocol" msgstr "Protokol" #. type: Content of: <refsect1><refsect2><para> #: include/service_discovery.xml:37 msgid "" "The queries usually specify _tcp as the protocol. Exceptions are documented " "in respective option description." msgstr "" #. type: Content of: <refsect1><refsect2><title> #: include/service_discovery.xml:42 msgid "See Also" msgstr "Viz také" #. type: Content of: <refsect1><refsect2><para> #: include/service_discovery.xml:44 msgid "" "For more information on the service discovery mechanism, refer to RFC 2782." msgstr "" #. type: Content of: <refentryinfo> #: include/upstream.xml:2 msgid "" "<productname>SSSD</productname> <orgname>The SSSD upstream - https://github." "com/SSSD/sssd/</orgname>" msgstr "" #. type: Content of: outside any tag (error?) #: include/upstream.xml:1 msgid "<placeholder type=\"refentryinfo\" id=\"0\"/>" msgstr "<placeholder type=\"refentryinfo\" id=\"0\"/>" #. type: Content of: <refsect1><title> #: include/failover.xml:2 msgid "FAILOVER" msgstr "" #. type: Content of: <refsect1><para> #: include/failover.xml:4 msgid "" "The failover feature allows back ends to automatically switch to a different " "server if the current server fails." msgstr "" #. type: Content of: <refsect1><refsect2><title> #: include/failover.xml:8 msgid "Failover Syntax" msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/failover.xml:10 msgid "" "The list of servers is given as a comma-separated list; any number of spaces " "is allowed around the comma. The servers are listed in order of preference. " "The list can contain any number of servers." msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/failover.xml:16 msgid "" "For each failover-enabled config option, two variants exist: " "<emphasis>primary</emphasis> and <emphasis>backup</emphasis>. The idea is " "that servers in the primary list are preferred and backup servers are only " "searched if no primary servers can be reached. If a backup server is " "selected, a timeout of 31 seconds is set. After this timeout SSSD will " "periodically try to reconnect to one of the primary servers. If it succeeds, " "it will replace the current active (backup) server." msgstr "" #. type: Content of: <refsect1><refsect2><title> #: include/failover.xml:27 msgid "The Failover Mechanism" msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/failover.xml:29 msgid "" "The failover mechanism distinguishes between a machine and a service. The " "back end first tries to resolve the hostname of a given machine; if this " "resolution attempt fails, the machine is considered offline. No further " "attempts are made to connect to this machine for any other service. If the " "resolution attempt succeeds, the back end tries to connect to a service on " "this machine. If the service connection attempt fails, then only this " "particular service is considered offline and the back end automatically " "switches over to the next service. The machine is still considered online " "and might still be tried for another service." msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/failover.xml:42 msgid "" "Further connection attempts are made to machines or services marked as " "offline after a specified period of time; this is currently hard coded to 30 " "seconds." msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/failover.xml:47 msgid "" "If there are no more machines to try, the back end as a whole switches to " "offline mode, and then attempts to reconnect every 30 seconds." msgstr "" #. type: Content of: <refsect1><refsect2><title> #: include/failover.xml:53 msgid "Failover time outs and tuning" msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/failover.xml:55 msgid "" "Resolving a server to connect to can be as simple as running a single DNS " "query or can involve several steps, such as finding the correct site or " "trying out multiple host names in case some of the configured servers are " "not reachable. The more complex scenarios can take some time and SSSD needs " "to balance between providing enough time to finish the resolution process " "but on the other hand, not trying for too long before falling back to " "offline mode. If the SSSD debug logs show that the server resolution is " "timing out before a live server is contacted, you can consider changing the " "time outs." msgstr "" #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term> #: include/failover.xml:76 msgid "dns_resolver_server_timeout" msgstr "" #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: include/failover.xml:80 msgid "" "Time in milliseconds that sets how long would SSSD talk to a single DNS " "server before trying next one." msgstr "" #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term> #: include/failover.xml:90 msgid "dns_resolver_op_timeout" msgstr "dns_resolver_op_timeout" #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: include/failover.xml:94 msgid "" "Time in seconds to tell how long would SSSD try to resolve single DNS query " "(e.g. resolution of a hostname or an SRV record) before trying the next " "hostname or discovery domain." msgstr "" #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term> #: include/failover.xml:106 msgid "dns_resolver_timeout" msgstr "dns_resolver_timeout" #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: include/failover.xml:110 msgid "" "How long would SSSD try to resolve a failover service. This service " "resolution internally might include several steps, such as resolving DNS SRV " "queries or locating the site." msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/failover.xml:67 msgid "" "This section lists the available tunables. Please refer to their description " "in the <citerefentry> <refentrytitle>sssd.conf</refentrytitle><manvolnum>5</" "manvolnum> </citerefentry>, manual page. <placeholder type=\"variablelist\" " "id=\"0\"/>" msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/failover.xml:123 msgid "" "For LDAP-based providers, the resolve operation is performed as part of an " "LDAP connection operation. Therefore, also the <quote>ldap_opt_timeout</" "quote> timeout should be set to a larger value than " "<quote>dns_resolver_timeout</quote> which in turn should be set to a larger " "value than <quote>dns_resolver_op_timeout</quote> which should be larger " "than <quote>dns_resolver_server_timeout</quote>." msgstr "" #. type: Content of: <refsect1><title> #: include/ldap_id_mapping.xml:2 msgid "ID MAPPING" msgstr "MAPOVÁNÍ IDENTIFIKÁTORŮ" #. type: Content of: <refsect1><para> #: include/ldap_id_mapping.xml:4 msgid "" "The ID-mapping feature allows SSSD to act as a client of Active Directory " "without requiring administrators to extend user attributes to support POSIX " "attributes for user and group identifiers." msgstr "" #. type: Content of: <refsect1><para> #: include/ldap_id_mapping.xml:9 msgid "" "NOTE: When ID-mapping is enabled, the uidNumber and gidNumber attributes are " "ignored. This is to avoid the possibility of conflicts between automatically-" "assigned and manually-assigned values. If you need to use manually-assigned " "values, ALL values must be manually-assigned." msgstr "" #. type: Content of: <refsect1><para> #: include/ldap_id_mapping.xml:16 msgid "" "Please note that changing the ID mapping related configuration options will " "cause user and group IDs to change. At the moment, SSSD does not support " "changing IDs, so the SSSD database must be removed. Because cached passwords " "are also stored in the database, removing the database should only be " "performed while the authentication servers are reachable, otherwise users " "might get locked out. In order to cache the password, an authentication must " "be performed. It is not sufficient to use <citerefentry> " "<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> </" "citerefentry> to remove the database, rather the process consists of:" msgstr "" #. type: Content of: <refsect1><para><itemizedlist><listitem><para> #: include/ldap_id_mapping.xml:33 msgid "Making sure the remote servers are reachable" msgstr "" #. type: Content of: <refsect1><para><itemizedlist><listitem><para> #: include/ldap_id_mapping.xml:38 msgid "Stopping the SSSD service" msgstr "Zastavování služby SSSD" #. type: Content of: <refsect1><para><itemizedlist><listitem><para> #: include/ldap_id_mapping.xml:43 msgid "Removing the database" msgstr "Odebrání databáze" #. type: Content of: <refsect1><para><itemizedlist><listitem><para> #: include/ldap_id_mapping.xml:48 msgid "Starting the SSSD service" msgstr "Spuštění služby SSSD" #. type: Content of: <refsect1><para> #: include/ldap_id_mapping.xml:52 msgid "" "Moreover, as the change of IDs might necessitate the adjustment of other " "system properties such as file and directory ownership, it's advisable to " "plan ahead and test the ID mapping configuration thoroughly." msgstr "" #. type: Content of: <refsect1><refsect2><title> #: include/ldap_id_mapping.xml:59 msgid "Mapping Algorithm" msgstr "Mapovací algoritmus" #. type: Content of: <refsect1><refsect2><para> #: include/ldap_id_mapping.xml:61 msgid "" "Active Directory provides an objectSID for every user and group object in " "the directory. This objectSID can be broken up into components that " "represent the Active Directory domain identity and the relative identifier " "(RID) of the user or group object." msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/ldap_id_mapping.xml:67 msgid "" "The SSSD ID-mapping algorithm takes a range of available UIDs and divides it " "into equally-sized component sections - called \"slices\"-. Each slice " "represents the space available to an Active Directory domain." msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/ldap_id_mapping.xml:73 msgid "" "When a user or group entry for a particular domain is encountered for the " "first time, the SSSD allocates one of the available slices for that domain. " "In order to make this slice-assignment repeatable on different client " "machines, we select the slice based on the following algorithm:" msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/ldap_id_mapping.xml:80 msgid "" "The SID string is passed through the murmurhash3 algorithm to convert it to " "a 32-bit hashed value. We then take the modulus of this value with the total " "number of available slices to pick the slice." msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/ldap_id_mapping.xml:86 msgid "" "NOTE: It is possible to encounter collisions in the hash and subsequent " "modulus. In these situations, we will select the next available slice, but " "it may not be possible to reproduce the same exact set of slices on other " "machines (since the order that they are encountered will determine their " "slice). In this situation, it is recommended to either switch to using " "explicit POSIX attributes in Active Directory (disabling ID-mapping) or " "configure a default domain to guarantee that at least one is always " "consistent. See <quote>Configuration</quote> for details." msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/ldap_id_mapping.xml:101 msgid "" "Minimum configuration (in the <quote>[domain/DOMAINNAME]</quote> section):" msgstr "" #. type: Content of: <refsect1><refsect2><para><programlisting> #: include/ldap_id_mapping.xml:106 #, no-wrap msgid "" "ldap_id_mapping = True\n" "ldap_schema = ad\n" msgstr "" "ldap_id_mapping = True\n" "ldap_schema = ad\n" #. type: Content of: <refsect1><refsect2><para> #: include/ldap_id_mapping.xml:111 msgid "" "The default configuration results in configuring 10,000 slices, each capable " "of holding up to 200,000 IDs, starting from 200,000 and going up to " "2,000,200,000. This should be sufficient for most deployments." msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><title> #: include/ldap_id_mapping.xml:117 msgid "Advanced Configuration" msgstr "Pokročilé nastavení" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> #: include/ldap_id_mapping.xml:120 msgid "ldap_idmap_range_min (integer)" msgstr "ldap_idmap_range_min (celé číslo)" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:123 msgid "" "Specifies the lower (inclusive) bound of the range of POSIX IDs to use for " "mapping Active Directory user and group SIDs. It is the first POSIX ID which " "can be used for the mapping." msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:129 msgid "" "NOTE: This option is different from <quote>min_id</quote> in that " "<quote>min_id</quote> acts to filter the output of requests to this domain, " "whereas this option controls the range of ID assignment. This is a subtle " "distinction, but the good general advice would be to have <quote>min_id</" "quote> be less-than or equal to <quote>ldap_idmap_range_min</quote>" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:139 include/ldap_id_mapping.xml:197 msgid "Default: 200000" msgstr "Výchozí: 200000" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> #: include/ldap_id_mapping.xml:144 msgid "ldap_idmap_range_max (integer)" msgstr "ldap_idmap_range_max (celé číslo)" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:147 msgid "" "Specifies the upper (exclusive) bound of the range of POSIX IDs to use for " "mapping Active Directory user and group SIDs. It is the first POSIX ID which " "cannot be used for the mapping anymore, i.e. one larger than the last one " "which can be used for the mapping." msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:155 msgid "" "NOTE: This option is different from <quote>max_id</quote> in that " "<quote>max_id</quote> acts to filter the output of requests to this domain, " "whereas this option controls the range of ID assignment. This is a subtle " "distinction, but the good general advice would be to have <quote>max_id</" "quote> be greater-than or equal to <quote>ldap_idmap_range_max</quote>" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:165 msgid "Default: 2000200000" msgstr "Výchozí: 2000200000" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> #: include/ldap_id_mapping.xml:170 msgid "ldap_idmap_range_size (integer)" msgstr "ldap_idmap_range_size (celé číslo)" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:173 msgid "" "Specifies the number of IDs available for each slice. If the range size " "does not divide evenly into the min and max values, it will create as many " "complete slices as it can." msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:179 msgid "" "NOTE: The value of this option must be at least as large as the highest user " "RID planned for use on the Active Directory server. User lookups and login " "will fail for any user whose RID is greater than this value." msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:185 msgid "" "For example, if your most recently-added Active Directory user has " "objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107, " "<quote>ldap_idmap_range_size</quote> must be at least 1108 as range size is " "equal to maximal SID minus minimal SID plus one (e.g. 1108 = 1107 - 0 + 1)." msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:192 msgid "" "It is important to plan ahead for future expansion, as changing this value " "will result in changing all of the ID mappings on the system, leading to " "users with different local IDs than they previously had." msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> #: include/ldap_id_mapping.xml:202 msgid "ldap_idmap_default_domain_sid (string)" msgstr "ldap_idmap_default_domain_sid (řetězec)" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:205 msgid "" "Specify the domain SID of the default domain. This will guarantee that this " "domain will always be assigned to slice zero in the ID map, bypassing the " "murmurhash algorithm described above." msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> #: include/ldap_id_mapping.xml:216 msgid "ldap_idmap_default_domain (string)" msgstr "ldap_idmap_default_domain (řetězec)" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:219 msgid "Specify the name of the default domain." msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> #: include/ldap_id_mapping.xml:227 msgid "ldap_idmap_autorid_compat (boolean)" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:230 msgid "" "Changes the behavior of the ID-mapping algorithm to behave more similarly to " "winbind's <quote>idmap_autorid</quote> algorithm." msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:235 msgid "" "When this option is configured, domains will be allocated starting with " "slice zero and increasing monotonically with each additional domain." msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:240 msgid "" "NOTE: This algorithm is non-deterministic (it depends on the order that " "users and groups are requested). If this mode is required for compatibility " "with machines running winbind, it is recommended to also use the " "<quote>ldap_idmap_default_domain_sid</quote> option to guarantee that at " "least one domain is consistently allocated to slice zero." msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> #: include/ldap_id_mapping.xml:255 msgid "ldap_idmap_helper_table_size (integer)" msgstr "ldap_idmap_helper_table_size (celé číslo)" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:258 msgid "" "Maximal number of secondary slices that is tried when performing mapping " "from UNIX id to SID." msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:262 msgid "" "Note: Additional secondary slices might be generated when SID is being " "mapped to UNIX id and RID part of SID is out of range for secondary slices " "generated so far. If value of ldap_idmap_helper_table_size is equal to 0 " "then no additional secondary slices are generated." msgstr "" #. type: Content of: <refsect1><refsect2><title> #: include/ldap_id_mapping.xml:279 msgid "Well-Known SIDs" msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/ldap_id_mapping.xml:281 msgid "" "SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a " "special hardcoded meaning. Since the generic users and groups related to " "those Well-Known SIDs have no equivalent in a Linux/UNIX environment no " "POSIX IDs are available for those objects." msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/ldap_id_mapping.xml:287 msgid "" "The SID name space is organized in authorities which can be seen as " "different domains. The authorities for the Well-Known SIDs are" msgstr "" #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> #: include/ldap_id_mapping.xml:290 msgid "Null Authority" msgstr "" #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> #: include/ldap_id_mapping.xml:291 msgid "World Authority" msgstr "" #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> #: include/ldap_id_mapping.xml:292 msgid "Local Authority" msgstr "" #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> #: include/ldap_id_mapping.xml:293 msgid "Creator Authority" msgstr "" #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> #: include/ldap_id_mapping.xml:294 msgid "Mandatory Label Authority" msgstr "" #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> #: include/ldap_id_mapping.xml:295 msgid "Authentication Authority" msgstr "" #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> #: include/ldap_id_mapping.xml:296 msgid "NT Authority" msgstr "" #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> #: include/ldap_id_mapping.xml:297 msgid "Built-in" msgstr "Vestavěné" #. type: Content of: <refsect1><refsect2><para> #: include/ldap_id_mapping.xml:299 msgid "" "The capitalized version of these names are used as domain names when " "returning the fully qualified name of a Well-Known SID." msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/ldap_id_mapping.xml:303 msgid "" "Since some utilities allow to modify SID based access control information " "with the help of a name instead of using the SID directly SSSD supports to " "look up the SID by the name as well. To avoid collisions only the fully " "qualified names can be used to look up Well-Known SIDs. As a result the " "domain names <quote>NULL AUTHORITY</quote>, <quote>WORLD AUTHORITY</quote>, " "<quote>LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, " "<quote>MANDATORY LABEL AUTHORITY</quote>, <quote>AUTHENTICATION AUTHORITY</" "quote>, <quote>NT AUTHORITY</quote> and <quote>BUILTIN</quote> should not be " "used as domain names in <filename>sssd.conf</filename>." msgstr "" #. type: Content of: <varlistentry><term> #: include/param_help.xml:3 msgid "<option>-?</option>,<option>--help</option>" msgstr "<option>-?</option>,<option>--help</option>" #. type: Content of: <varlistentry><listitem><para> #: include/param_help.xml:7 include/param_help_py.xml:7 msgid "Display help message and exit." msgstr "Zobraz nápovědu a ukonči program." #. type: Content of: <varlistentry><term> #: include/param_help_py.xml:3 msgid "<option>-h</option>,<option>--help</option>" msgstr "<option>-h</option>,<option>--help</option>" #. type: Content of: <listitem><para> #: include/debug_levels.xml:3 include/debug_levels_tools.xml:3 msgid "" "SSSD supports two representations for specifying the debug level. The " "simplest is to specify a decimal value from 0-9, which represents enabling " "that level and all lower-level debug messages. The more comprehensive option " "is to specify a hexadecimal bitmask to enable or disable specific levels " "(such as if you wish to suppress a level)." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:10 msgid "" "Please note that each SSSD service logs into its own log file. Also please " "note that enabling <quote>debug_level</quote> in the <quote>[sssd]</quote> " "section only enables debugging just for the sssd process itself, not for the " "responder or provider processes. The <quote>debug_level</quote> parameter " "should be added to all sections that you wish to produce debug logs from." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:18 msgid "" "In addition to changing the log level in the config file using the " "<quote>debug_level</quote> parameter, which is persistent, but requires SSSD " "restart, it is also possible to change the debug level on the fly using the " "<citerefentry> <refentrytitle>sss_debuglevel</refentrytitle> <manvolnum>8</" "manvolnum> </citerefentry> tool." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:29 include/debug_levels_tools.xml:10 msgid "Currently supported debug levels:" msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:32 include/debug_levels_tools.xml:13 msgid "" "<emphasis>0</emphasis>, <emphasis>0x0010</emphasis>: Fatal failures. " "Anything that would prevent SSSD from starting up or causes it to cease " "running." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:38 include/debug_levels_tools.xml:19 msgid "" "<emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Critical failures. An " "error that doesn't kill SSSD, but one that indicates that at least one major " "feature is not going to work properly." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:45 include/debug_levels_tools.xml:26 msgid "" "<emphasis>2</emphasis>, <emphasis>0x0040</emphasis>: Serious failures. An " "error announcing that a particular request or operation has failed." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:50 include/debug_levels_tools.xml:31 msgid "" "<emphasis>3</emphasis>, <emphasis>0x0080</emphasis>: Minor failures. These " "are the errors that would percolate down to cause the operation failure of 2." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:55 include/debug_levels_tools.xml:36 msgid "" "<emphasis>4</emphasis>, <emphasis>0x0100</emphasis>: Configuration settings." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:59 include/debug_levels_tools.xml:40 msgid "<emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: Function data." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:63 include/debug_levels_tools.xml:44 msgid "" "<emphasis>6</emphasis>, <emphasis>0x0400</emphasis>: Trace messages for " "operation functions." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:67 include/debug_levels_tools.xml:48 msgid "" "<emphasis>7</emphasis>, <emphasis>0x1000</emphasis>: Trace messages for " "internal control functions." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:72 include/debug_levels_tools.xml:53 msgid "" "<emphasis>8</emphasis>, <emphasis>0x2000</emphasis>: Contents of function-" "internal variables that may be interesting." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:77 include/debug_levels_tools.xml:58 msgid "" "<emphasis>9</emphasis>, <emphasis>0x4000</emphasis>: Extremely low-level " "tracing information." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:81 msgid "" "<emphasis>9</emphasis>, <emphasis>0x20000</emphasis>: Performance and " "statistical data, please note that due to the way requests are processed " "internally the logged execution time of a request might be longer than it " "actually was." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:88 include/debug_levels_tools.xml:62 msgid "" "<emphasis>10</emphasis>, <emphasis>0x10000</emphasis>: Even more low-level " "libldb tracing information. Almost never really required." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:93 include/debug_levels_tools.xml:67 msgid "" "To log required bitmask debug levels, simply add their numbers together as " "shown in following examples:" msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:97 include/debug_levels_tools.xml:71 msgid "" "<emphasis>Example</emphasis>: To log fatal failures, critical failures, " "serious failures and function data use 0x0270." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:101 include/debug_levels_tools.xml:75 msgid "" "<emphasis>Example</emphasis>: To log fatal failures, configuration settings, " "function data, trace messages for internal control functions use 0x1310." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:106 include/debug_levels_tools.xml:80 msgid "" "<emphasis>Note</emphasis>: The bitmask format of debug levels was introduced " "in 1.7.0." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:110 include/debug_levels_tools.xml:84 msgid "" "<emphasis>Default</emphasis>: 0x0070 (i.e. fatal, critical and serious " "failures; corresponds to setting 2 in decimal notation)" msgstr "" #. type: Content of: <refsect1><title> #: include/local.xml:2 msgid "THE LOCAL DOMAIN" msgstr "" #. type: Content of: <refsect1><para> #: include/local.xml:4 msgid "" "In order to function correctly, a domain with <quote>id_provider=local</" "quote> must be created and the SSSD must be running." msgstr "" #. type: Content of: <refsect1><para> #: include/local.xml:9 msgid "" "The administrator might want to use the SSSD local users instead of " "traditional UNIX users in cases where the group nesting (see <citerefentry> " "<refentrytitle>sss_groupadd</refentrytitle> <manvolnum>8</manvolnum> </" "citerefentry>) is needed. The local users are also useful for testing and " "development of the SSSD without having to deploy a full remote server. The " "<command>sss_user*</command> and <command>sss_group*</command> tools use a " "local LDB storage to store users and groups." msgstr "" #. type: Content of: <refsect1><para> #: include/seealso.xml:4 msgid "" "<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> </" "citerefentry>, <citerefentry> <refentrytitle>sssd.conf</" "refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> </" "citerefentry>, <citerefentry> <refentrytitle>sssd-ldap-attributes</" "refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle><manvolnum>5</manvolnum> </" "citerefentry>, <citerefentry> <refentrytitle>sssd-simple</" "refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " "<refentrytitle>sssd-ipa</refentrytitle><manvolnum>5</manvolnum> </" "citerefentry>, <citerefentry> <refentrytitle>sssd-ad</" "refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <phrase " "condition=\"with_files_provider\"> <citerefentry> <refentrytitle>sssd-files</" "refentrytitle><manvolnum>5</manvolnum> </citerefentry>, </phrase> <phrase " "condition=\"with_sudo\"> <citerefentry> <refentrytitle>sssd-sudo</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry>, </phrase> " "<citerefentry> <refentrytitle>sssd-session-recording</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " "<refentrytitle>sss_cache</refentrytitle><manvolnum>8</manvolnum> </" "citerefentry>, <citerefentry> <refentrytitle>sss_debuglevel</" "refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " "<refentrytitle>sss_obfuscate</refentrytitle><manvolnum>8</manvolnum> </" "citerefentry>, <citerefentry> <refentrytitle>sss_seed</" "refentrytitle><manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " "<refentrytitle>sssd_krb5_locator_plugin</refentrytitle><manvolnum>8</" "manvolnum> </citerefentry>, <phrase condition=\"with_ssh\"> <citerefentry> " "<refentrytitle>sss_ssh_authorizedkeys</refentrytitle> <manvolnum>8</" "manvolnum> </citerefentry>, <citerefentry> " "<refentrytitle>sss_ssh_knownhostsproxy</refentrytitle> <manvolnum>8</" "manvolnum> </citerefentry>, </phrase> <phrase condition=\"with_ifp\"> " "<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</" "manvolnum> </citerefentry>, </phrase> <citerefentry> <refentrytitle>pam_sss</" "refentrytitle><manvolnum>8</manvolnum> </citerefentry>. <citerefentry> " "<refentrytitle>sss_rpcidmapd</refentrytitle> <manvolnum>5</manvolnum> </" "citerefentry> <phrase condition=\"with_stap\"> <citerefentry> " "<refentrytitle>sssd-systemtap</refentrytitle> <manvolnum>5</manvolnum> </" "citerefentry> </phrase>" msgstr "" #. type: Content of: <listitem><para> #: include/ldap_search_bases.xml:3 msgid "" "An optional base DN, search scope and LDAP filter to restrict LDAP searches " "for this attribute type." msgstr "" #. type: Content of: <listitem><para><programlisting> #: include/ldap_search_bases.xml:9 #, no-wrap msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]\n" msgstr "search_base[?scope?[filter][?search_base?scope?[filter]]*]\n" #. type: Content of: <listitem><para> #: include/ldap_search_bases.xml:7 msgid "syntax: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "syntaxe: <placeholder type=\"programlisting\" id=\"0\"/>" #. type: Content of: <listitem><para> #: include/ldap_search_bases.xml:13 msgid "" "The scope can be one of \"base\", \"onelevel\" or \"subtree\". The scope " "functions as specified in section 4.5.1.2 of http://tools.ietf.org/html/" "rfc4511" msgstr "" #. type: Content of: <listitem><para> #: include/ldap_search_bases.xml:23 msgid "" "For examples of this syntax, please refer to the <quote>ldap_search_base</" "quote> examples section." msgstr "" #. type: Content of: <listitem><para> #: include/ldap_search_bases.xml:31 msgid "" "Please note that specifying scope or filter is not supported for searches " "against an Active Directory Server that might yield a large number of " "results and trigger the Range Retrieval extension in the response." msgstr "" #. type: Content of: <para> #: include/autofs_restart.xml:2 msgid "" "Please note that the automounter only reads the master map on startup, so if " "any autofs-related changes are made to the sssd.conf, you typically also " "need to restart the automounter daemon after restarting the SSSD." msgstr "" #. type: Content of: <varlistentry><term> #: include/override_homedir.xml:2 msgid "override_homedir (string)" msgstr "override_homedir (řetězec)" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: include/override_homedir.xml:16 msgid "UID number" msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: include/override_homedir.xml:20 msgid "domain name" msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> #: include/override_homedir.xml:23 msgid "%f" msgstr "%f" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: include/override_homedir.xml:24 msgid "fully qualified user name (user@domain)" msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> #: include/override_homedir.xml:27 msgid "%l" msgstr "%l" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: include/override_homedir.xml:28 msgid "The first letter of the login name." msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: include/override_homedir.xml:32 msgid "UPN - User Principal Name (name@REALM)" msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> #: include/override_homedir.xml:35 msgid "%o" msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: include/override_homedir.xml:37 msgid "The original home directory retrieved from the identity provider." msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: include/override_homedir.xml:44 msgid "" "The original home directory retrieved from the identity provider, but in " "lower case." msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> #: include/override_homedir.xml:49 msgid "%H" msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: include/override_homedir.xml:51 msgid "The value of configure option <emphasis>homedir_substring</emphasis>." msgstr "" #. type: Content of: <varlistentry><listitem><para> #: include/override_homedir.xml:5 msgid "" "Override the user's home directory. You can either provide an absolute value " "or a template. In the template, the following sequences are substituted: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <varlistentry><listitem><para> #: include/override_homedir.xml:63 msgid "This option can also be set per-domain." msgstr "" #. type: Content of: <varlistentry><listitem><para><programlisting> #: include/override_homedir.xml:68 #, no-wrap msgid "" "override_homedir = /home/%u\n" " " msgstr "" #. type: Content of: <varlistentry><listitem><para> #: include/override_homedir.xml:72 msgid "Default: Not set (SSSD will use the value retrieved from LDAP)" msgstr "" #. type: Content of: <varlistentry><listitem><para> #: include/override_homedir.xml:76 msgid "" "Please note, the home directory from a specific override for the user, " "either locally (see <citerefentry><refentrytitle>sss_override</" "refentrytitle> <manvolnum>8</manvolnum></citerefentry>) or centrally managed " "IPA id-overrides, has a higher precedence and will be used instead of the " "value given by override_homedir." msgstr "" #. type: Content of: <varlistentry><term> #: include/homedir_substring.xml:2 msgid "homedir_substring (string)" msgstr "" #. type: Content of: <varlistentry><listitem><para> #: include/homedir_substring.xml:5 msgid "" "The value of this option will be used in the expansion of the " "<emphasis>override_homedir</emphasis> option if the template contains the " "format string <emphasis>%H</emphasis>. An LDAP directory entry can directly " "contain this template so that this option can be used to expand the home " "directory path for each client machine (or operating system). It can be set " "per-domain or globally in the [nss] section. A value specified in a domain " "section will override one set in the [nss] section." msgstr "" #. type: Content of: <varlistentry><listitem><para> #: include/homedir_substring.xml:15 msgid "Default: /home" msgstr "" #. type: Content of: <refsect1><title> #: include/ad_modified_defaults.xml:2 include/ipa_modified_defaults.xml:2 msgid "MODIFIED DEFAULT OPTIONS" msgstr "" #. type: Content of: <refsect1><para> #: include/ad_modified_defaults.xml:4 msgid "" "Certain option defaults do not match their respective backend provider " "defaults, these option names and AD provider-specific defaults are listed " "below:" msgstr "" #. type: Content of: <refsect1><refsect2><title> #: include/ad_modified_defaults.xml:9 include/ipa_modified_defaults.xml:9 msgid "KRB5 Provider" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:13 include/ipa_modified_defaults.xml:13 msgid "krb5_validate = true" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:18 msgid "krb5_use_enterprise_principal = true" msgstr "" #. type: Content of: <refsect1><refsect2><title> #: include/ad_modified_defaults.xml:24 msgid "LDAP Provider" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:28 msgid "ldap_schema = ad" msgstr "ldap_schema = ad" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:33 include/ipa_modified_defaults.xml:38 msgid "ldap_force_upper_case_realm = true" msgstr "ldap_force_upper_case_realm = true" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:38 msgid "ldap_id_mapping = true" msgstr "ldap_id_mapping = true" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:43 msgid "ldap_sasl_mech = GSS-SPNEGO" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:48 msgid "ldap_referrals = false" msgstr "ldap_referrals = false" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:53 msgid "ldap_account_expire_policy = ad" msgstr "ldap_account_expire_policy = ad" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:58 include/ipa_modified_defaults.xml:58 msgid "ldap_use_tokengroups = true" msgstr "ldap_use_tokengroups = true" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:63 msgid "ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM)" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:66 msgid "" "The AD provider looks for a different principal than the LDAP provider by " "default, because in an Active Directory environment the principals are " "divided into two groups - User Principals and Service Principals. Only User " "Principal can be used to obtain a TGT and by default, computer object's " "principal is constructed from its sAMAccountName and the AD realm. The well-" "known host/hostname@REALM principal is a Service Principal and thus cannot " "be used to get a TGT with." msgstr "" #. type: Content of: <refsect1><refsect2><title> #: include/ad_modified_defaults.xml:80 msgid "NSS configuration" msgstr "Nastavení NSS" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:84 msgid "fallback_homedir = /home/%d/%u" msgstr "fallback_homedir = /home/%d/%u" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:87 msgid "" "The AD provider automatically sets \"fallback_homedir = /home/%d/%u\" to " "provide personal home directories for users without the homeDirectory " "attribute. If your AD Domain is properly populated with Posix attributes, " "and you want to avoid this fallback behavior, you can explicitly set " "\"fallback_homedir = %o\"." msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:96 msgid "" "Note that the system typically expects a home directory in /home/%u folder. " "If you decide to use a different directory structure, some other parts of " "your system may need adjustments." msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:102 msgid "" "For example automated creation of home directories in combination with " "selinux requires selinux adjustment, otherwise the home directory will be " "created with wrong selinux context." msgstr "" #. type: Content of: <refsect1><para> #: include/ipa_modified_defaults.xml:4 msgid "" "Certain option defaults do not match their respective backend provider " "defaults, these option names and IPA provider-specific defaults are listed " "below:" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:18 msgid "krb5_use_fast = try" msgstr "krb5_use_fast = try" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:23 msgid "krb5_canonicalize = true" msgstr "krb5_canonicalize = true" #. type: Content of: <refsect1><refsect2><title> #: include/ipa_modified_defaults.xml:29 msgid "LDAP Provider - General" msgstr "LDAP poskytovatel – obecné" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:33 msgid "ldap_schema = ipa_v1" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:43 msgid "ldap_sasl_mech = GSSAPI" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:48 msgid "ldap_sasl_minssf = 56" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:53 msgid "ldap_account_expire_policy = ipa" msgstr "" #. type: Content of: <refsect1><refsect2><title> #: include/ipa_modified_defaults.xml:64 msgid "LDAP Provider - User options" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:68 msgid "ldap_user_member_of = memberOf" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:73 msgid "ldap_user_uuid = ipaUniqueID" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:78 msgid "ldap_user_ssh_public_key = ipaSshPubKey" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:83 msgid "ldap_user_auth_type = ipaUserAuthType" msgstr "" #. type: Content of: <refsect1><refsect2><title> #: include/ipa_modified_defaults.xml:89 msgid "LDAP Provider - Group options" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:93 msgid "ldap_group_object_class = ipaUserGroup" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:98 msgid "ldap_group_object_class_alt = posixGroup" msgstr "ldap_group_object_class_alt = posixGroup" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:103 msgid "ldap_group_member = member" msgstr "ldap_group_member = member" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:108 msgid "ldap_group_uuid = ipaUniqueID" msgstr "ldap_group_uuid = ipaUniqueID" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:113 msgid "ldap_group_objectsid = ipaNTSecurityIdentifier" msgstr "ldap_group_objectsid = ipaNTSecurityIdentifier" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:118 msgid "ldap_group_external_member = ipaExternalMember" msgstr "ldap_group_external_member = ipaExternalMember" #. type: Content of: <variablelist><varlistentry><term> #: include/krb5_options.xml:3 msgid "krb5_auth_timeout (integer)" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:6 msgid "" "Timeout in seconds after an online authentication request or change password " "request is aborted. If possible, the authentication request is continued " "offline." msgstr "" #. type: Content of: <variablelist><varlistentry><term> #: include/krb5_options.xml:17 msgid "krb5_validate (boolean)" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:20 msgid "" "Verify with the help of krb5_keytab that the TGT obtained has not been " "spoofed. The keytab is checked for entries sequentially, and the first entry " "with a matching realm is used for validation. If no entry matches the realm, " "the last entry in the keytab is used. This process can be used to validate " "environments using cross-realm trust by placing the appropriate keytab entry " "as the last entry or the only entry in the keytab file." msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:29 msgid "Default: false (IPA and AD provider: true)" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:32 msgid "" "Please note that the ticket validation is the first step when checking the " "PAC (see 'pac_check' in the <citerefentry> <refentrytitle>sssd.conf</" "refentrytitle> <manvolnum>5</manvolnum> </citerefentry> manual page for " "details). If ticket validation is disabled the PAC checks will be skipped as " "well." msgstr "" #. type: Content of: <variablelist><varlistentry><term> #: include/krb5_options.xml:44 msgid "krb5_renewable_lifetime (string)" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:47 msgid "" "Request a renewable ticket with a total lifetime, given as an integer " "immediately followed by a time unit:" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:52 include/krb5_options.xml:86 #: include/krb5_options.xml:123 msgid "<emphasis>s</emphasis> for seconds" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:55 include/krb5_options.xml:89 #: include/krb5_options.xml:126 msgid "<emphasis>m</emphasis> for minutes" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:58 include/krb5_options.xml:92 #: include/krb5_options.xml:129 msgid "<emphasis>h</emphasis> for hours" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:61 include/krb5_options.xml:95 #: include/krb5_options.xml:132 msgid "<emphasis>d</emphasis> for days." msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:64 include/krb5_options.xml:135 msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:68 include/krb5_options.xml:139 msgid "" "NOTE: It is not possible to mix units. To set the renewable lifetime to one " "and a half hours, use '90m' instead of '1h30m'." msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:73 msgid "Default: not set, i.e. the TGT is not renewable" msgstr "" #. type: Content of: <variablelist><varlistentry><term> #: include/krb5_options.xml:79 msgid "krb5_lifetime (string)" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:82 msgid "" "Request ticket with a lifetime, given as an integer immediately followed by " "a time unit:" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:98 msgid "If there is no unit given <emphasis>s</emphasis> is assumed." msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:102 msgid "" "NOTE: It is not possible to mix units. To set the lifetime to one and a " "half hours please use '90m' instead of '1h30m'." msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:107 msgid "" "Default: not set, i.e. the default ticket lifetime configured on the KDC." msgstr "" #. type: Content of: <variablelist><varlistentry><term> #: include/krb5_options.xml:114 msgid "krb5_renew_interval (string)" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:117 msgid "" "The time in seconds between two checks if the TGT should be renewed. TGTs " "are renewed if about half of their lifetime is exceeded, given as an integer " "immediately followed by a time unit:" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:144 msgid "If this option is not set or is 0 the automatic renewal is disabled." msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:157 msgid "" "Specifies if the host and user principal should be canonicalized. This " "feature is available with MIT Kerberos 1.7 and later versions." msgstr "" #~ msgid "sss_groupdel" #~ msgstr "sss_groupdel" #~ msgid "delete a group" #~ msgstr "vymazat skupinu" #~ msgid "" #~ "<command>sss_groupdel</command> <arg choice='opt'> <replaceable>options</" #~ "replaceable> </arg> <arg choice='plain'><replaceable>GROUP</replaceable></" #~ "arg>" #~ msgstr "" #~ "<command>sss_groupdel</command> <arg choice='opt'> <replaceable>volby</" #~ "replaceable> </arg> <arg choice='plain'><replaceable>SKUPINA</" #~ "replaceable></arg>" #~ msgid "" #~ "<command>sss_groupdel</command> deletes a group identified by its name " #~ "<replaceable>GROUP</replaceable> from the system." #~ msgstr "" #~ "<command>sss_groupdel</command> odstraní ze systému skupinu určenou jejím " #~ "jménem<replaceable>SKUPINA</replaceable>."