# SOME DESCRIPTIVE TITLE # Copyright (C) YEAR Red Hat # This file is distributed under the same license as the sssd-docs package. # FIRST AUTHOR , YEAR. # #, fuzzy msgid "" msgstr "" "Project-Id-Version: sssd-docs 2.9.3\n" "Report-Msgid-Bugs-To: sssd-devel@redhat.com\n" "POT-Creation-Date: 2024-01-12 13:00+0100\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" "Language: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. type: Content of: #: sssd.conf.5.xml:8 sssd-ldap.5.xml:5 pam_sss.8.xml:5 pam_sss_gss.8.xml:5 #: sssd_krb5_locator_plugin.8.xml:5 sssd-simple.5.xml:5 sss-certmap.5.xml:5 #: sssd-ipa.5.xml:5 sssd-ad.5.xml:5 sssd-sudo.5.xml:5 sssd.8.xml:5 #: sss_obfuscate.8.xml:5 sss_override.8.xml:5 sssd-krb5.5.xml:5 #: sss_cache.8.xml:5 sss_debuglevel.8.xml:5 sss_seed.8.xml:5 sssd-ifp.5.xml:5 #: sss_rpcidmapd.5.xml:5 sss_ssh_authorizedkeys.1.xml:5 #: sss_ssh_knownhostsproxy.1.xml:5 idmap_sss.8.xml:5 sssctl.8.xml:5 #: sssd-files.5.xml:5 sssd-session-recording.5.xml:5 sssd-kcm.8.xml:5 #: sssd-systemtap.5.xml:5 sssd-ldap-attributes.5.xml:5 #: sssd_krb5_localauth_plugin.8.xml:5 msgid "SSSD Manual pages" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssd.conf.5.xml:13 sssd.conf.5.xml:19 msgid "sssd.conf" msgstr "" #. type: Content of: <reference><refentry><refmeta><manvolnum> #: sssd.conf.5.xml:14 sssd-ldap.5.xml:11 sssd-simple.5.xml:11 #: sss-certmap.5.xml:11 sssd-ipa.5.xml:11 sssd-ad.5.xml:11 sssd-sudo.5.xml:11 #: sssd-krb5.5.xml:11 sssd-ifp.5.xml:11 sss_rpcidmapd.5.xml:27 #: sssd-files.5.xml:11 sssd-session-recording.5.xml:11 sssd-systemtap.5.xml:11 #: sssd-ldap-attributes.5.xml:11 msgid "5" msgstr "" #. type: Content of: <reference><refentry><refmeta><refmiscinfo> #: sssd.conf.5.xml:15 sssd-ldap.5.xml:12 sssd-simple.5.xml:12 #: sss-certmap.5.xml:12 sssd-ipa.5.xml:12 sssd-ad.5.xml:12 sssd-sudo.5.xml:12 #: sssd-krb5.5.xml:12 sssd-ifp.5.xml:12 sss_rpcidmapd.5.xml:28 #: sssd-files.5.xml:12 sssd-session-recording.5.xml:12 sssd-kcm.8.xml:12 #: sssd-systemtap.5.xml:12 sssd-ldap-attributes.5.xml:12 msgid "File Formats and Conventions" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sssd.conf.5.xml:20 msgid "the configuration file for SSSD" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd.conf.5.xml:24 msgid "FILE FORMAT" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd.conf.5.xml:32 #, no-wrap msgid "" "<replaceable>[section]</replaceable>\n" "<replaceable>key</replaceable> = <replaceable>value</replaceable>\n" "<replaceable>key2</replaceable> = <replaceable>value2,value3</replaceable>\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:27 msgid "" "The file has an ini-style syntax and consists of sections and parameters. A " "section begins with the name of the section in square brackets and continues " "until the next section begins. An example of section with single and " "multi-valued parameters: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:39 msgid "" "The data types used are string (no quotes needed), integer and bool (with " "values of <quote>TRUE/FALSE</quote>)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:44 msgid "" "A comment line starts with a hash sign (<quote>#</quote>) or a semicolon " "(<quote>;</quote>). Inline comments are not supported." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:50 msgid "" "All sections can have an optional <replaceable>description</replaceable> " "parameter. Its function is only as a label for the section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:56 msgid "" "<filename>sssd.conf</filename> must be a regular file, owned by root and " "only root may read from or write to the file." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd.conf.5.xml:62 msgid "CONFIGURATION SNIPPETS FROM INCLUDE DIRECTORY" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:65 msgid "" "The configuration file <filename>sssd.conf</filename> will include " "configuration snippets using the include directory " "<filename>conf.d</filename>. This feature is available if SSSD was compiled " "with libini version 1.3.0 or later." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:72 msgid "" "Any file placed in <filename>conf.d</filename> that ends in " "<quote><filename>.conf</filename></quote> and does not begin with a dot " "(<quote>.</quote>) will be used together with <filename>sssd.conf</filename> " "to configure SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:80 msgid "" "The configuration snippets from <filename>conf.d</filename> have higher " "priority than <filename>sssd.conf</filename> and will override " "<filename>sssd.conf</filename> when conflicts occur. If several snippets are " "present in <filename>conf.d</filename>, then they are included in " "alphabetical order (based on locale). Files included later have higher " "priority. Numerical prefixes (<filename>01_snippet.conf</filename>, " "<filename>02_snippet.conf</filename> etc.) can help visualize the priority " "(higher number means higher priority)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:94 msgid "" "The snippet files require the same owner and permissions as " "<filename>sssd.conf</filename>. Which are by default root:root and 0600." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd.conf.5.xml:101 msgid "GENERAL OPTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:103 msgid "Following options are usable in more than one configuration sections." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd.conf.5.xml:107 msgid "Options usable in all sections" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:111 msgid "debug_level (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:115 msgid "debug (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:118 msgid "" "SSSD 1.14 and later also includes the <replaceable>debug</replaceable> alias " "for <replaceable>debug_level</replaceable> as a convenience feature. If both " "are specified, the value of <replaceable>debug_level</replaceable> will be " "used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:128 msgid "debug_timestamps (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:131 msgid "" "Add a timestamp to the debug messages. If journald is enabled for SSSD " "debug logging this option is ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:136 sssd.conf.5.xml:173 sssd.conf.5.xml:358 #: sssd.conf.5.xml:714 sssd.conf.5.xml:729 sssd.conf.5.xml:952 #: sssd.conf.5.xml:1070 sssd.conf.5.xml:2198 sssd-ldap.5.xml:1073 #: sssd-ldap.5.xml:1176 sssd-ldap.5.xml:1245 sssd-ldap.5.xml:1752 #: sssd-ldap.5.xml:1817 sssd-ipa.5.xml:347 sssd-ad.5.xml:252 sssd-ad.5.xml:366 #: sssd-ad.5.xml:1200 sssd-ad.5.xml:1353 sssd-krb5.5.xml:358 msgid "Default: true" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:141 msgid "debug_microseconds (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:144 msgid "" "Add microseconds to the timestamp in debug messages. If journald is enabled " "for SSSD debug logging this option is ignored." msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:149 sssd.conf.5.xml:652 sssd.conf.5.xml:949 #: sssd.conf.5.xml:2101 sssd.conf.5.xml:2168 sssd.conf.5.xml:4193 #: sssd-ldap.5.xml:313 sssd-ldap.5.xml:919 sssd-ldap.5.xml:938 #: sssd-ldap.5.xml:1148 sssd-ldap.5.xml:1601 sssd-ldap.5.xml:1841 #: sssd-ipa.5.xml:152 sssd-ipa.5.xml:254 sssd-ipa.5.xml:662 sssd-ad.5.xml:1106 #: sssd-krb5.5.xml:268 sssd-krb5.5.xml:330 sssd-krb5.5.xml:432 #: include/krb5_options.xml:163 msgid "Default: false" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:154 msgid "debug_backtrace_enabled (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:157 msgid "Enable debug backtrace." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:160 msgid "" "In case SSSD is run with debug_level less than 9, everything is logged to a " "ring buffer in memory and flushed to a log file on any error up to and " "including `min(0x0040, debug_level)` (i.e. if debug_level is explicitly set " "to 0 or 1 then only those error levels will trigger backtrace, otherwise up " "to 2)." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:169 msgid "" "Feature is only supported for `logger == files` (i.e. setting doesn't have " "effect for other logger types)." msgstr "" #. type: Content of: outside any tag (error?) #: sssd.conf.5.xml:109 sssd.conf.5.xml:184 sssd-ldap.5.xml:1658 #: sssd-ldap.5.xml:1864 sss-certmap.5.xml:645 sssd-systemtap.5.xml:82 #: sssd-systemtap.5.xml:143 sssd-systemtap.5.xml:236 sssd-systemtap.5.xml:274 #: sssd-systemtap.5.xml:330 sssd-ldap-attributes.5.xml:40 #: sssd-ldap-attributes.5.xml:659 sssd-ldap-attributes.5.xml:801 #: sssd-ldap-attributes.5.xml:890 sssd-ldap-attributes.5.xml:987 #: sssd-ldap-attributes.5.xml:1045 sssd-ldap-attributes.5.xml:1203 #: sssd-ldap-attributes.5.xml:1248 include/autofs_attributes.xml:1 #: include/krb5_options.xml:1 msgid "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd.conf.5.xml:182 msgid "Options usable in SERVICE and DOMAIN sections" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:186 msgid "timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:189 msgid "" "Timeout in seconds between heartbeats for this service. This is used to " "ensure that the process is alive and capable of answering requests. Note " "that after three missed heartbeats the process will terminate itself." msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:196 sssd.conf.5.xml:1290 sssd.conf.5.xml:1767 #: sssd.conf.5.xml:4209 sssd-ldap.5.xml:766 include/ldap_id_mapping.xml:270 msgid "Default: 10" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd.conf.5.xml:206 msgid "SPECIAL SECTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd.conf.5.xml:209 msgid "The [sssd] section" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><title> #: sssd.conf.5.xml:218 msgid "Section parameters" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:220 msgid "config_file_version (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:223 msgid "" "Indicates what is the syntax of the config file. SSSD 0.6.0 and later use " "version 2." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:229 msgid "services" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:232 msgid "" "Comma separated list of services that are started when sssd itself starts. " "<phrase condition=\"have_systemd\"> The services' list is optional on " "platforms where systemd is supported, as they will either be socket or D-Bus " "activated when needed. </phrase>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:241 msgid "" "Supported services: nss, pam <phrase condition=\"with_sudo\">, sudo</phrase> " "<phrase condition=\"with_autofs\">, autofs</phrase> <phrase " "condition=\"with_ssh\">, ssh</phrase> <phrase " "condition=\"with_pac_responder\">, pac</phrase> <phrase " "condition=\"with_ifp\">, ifp</phrase>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:249 msgid "" "<phrase condition=\"have_systemd\"> By default, all services are disabled " "and the administrator must enable the ones allowed to be used by executing: " "\"systemctl enable sssd-@service@.socket\". </phrase>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:258 sssd.conf.5.xml:784 msgid "reconnection_retries (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:261 sssd.conf.5.xml:787 msgid "" "Number of times services should attempt to reconnect in the event of a Data " "Provider crash or restart before they give up" msgstr "" #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:266 sssd.conf.5.xml:792 sssd.conf.5.xml:3716 #: include/failover.xml:100 msgid "Default: 3" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:271 msgid "domains" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:274 msgid "" "A domain is a database containing user information. SSSD can use more " "domains at the same time, but at least one must be configured or SSSD won't " "start. This parameter describes the list of domains in the order you want " "them to be queried. A domain name is recommended to contain only " "alphanumeric ASCII characters, dashes, dots and underscores. '/' character " "is forbidden." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:287 sssd.conf.5.xml:3548 msgid "re_expression (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:290 msgid "" "Default regular expression that describes how to parse the string containing " "user name and domain into these components." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:295 msgid "" "Each domain can have an individual regular expression configured. For some " "ID providers there are also default regular expressions. See DOMAIN SECTIONS " "for more info on these regular expressions." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:304 sssd.conf.5.xml:3605 msgid "full_name_format (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:307 sssd.conf.5.xml:3608 msgid "" "A <citerefentry> <refentrytitle>printf</refentrytitle> " "<manvolnum>3</manvolnum> </citerefentry>-compatible format that describes " "how to compose a fully qualified name from user name and domain name " "components." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:318 sssd.conf.5.xml:3619 msgid "%1$s" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:319 sssd.conf.5.xml:3620 msgid "user name" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:322 sssd.conf.5.xml:3623 msgid "%2$s" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:325 sssd.conf.5.xml:3626 msgid "domain name as specified in the SSSD config file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:331 sssd.conf.5.xml:3632 msgid "%3$s" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:334 sssd.conf.5.xml:3635 msgid "" "domain flat name. Mostly usable for Active Directory domains, both directly " "configured or discovered via IPA trusts." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:315 sssd.conf.5.xml:3616 msgid "" "The following expansions are supported: <placeholder type=\"variablelist\" " "id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:344 msgid "" "Each domain can have an individual format string configured. See DOMAIN " "SECTIONS for more info on this option." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:350 msgid "monitor_resolv_conf (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:353 msgid "" "Controls if SSSD should monitor the state of resolv.conf to identify when it " "needs to update its internal DNS resolver." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:363 msgid "try_inotify (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:366 msgid "" "By default, SSSD will attempt to use inotify to monitor configuration files " "changes and will fall back to polling every five seconds if inotify cannot " "be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:372 msgid "" "There are some limited situations where it is preferred that we should skip " "even trying to use inotify. In these rare cases, this option should be set " "to 'false'" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:378 msgid "" "Default: true on platforms where inotify is supported. False on other " "platforms." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:382 msgid "" "Note: this option will have no effect on platforms where inotify is " "unavailable. On these platforms, polling will always be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:389 msgid "krb5_rcache_dir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:392 msgid "" "Directory on the filesystem where SSSD should store Kerberos replay cache " "files." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:396 msgid "" "This option accepts a special value __LIBKRB5_DEFAULTS__ that will instruct " "SSSD to let libkrb5 decide the appropriate location for the replay cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:402 msgid "" "Default: Distribution-specific and specified at " "build-time. (__LIBKRB5_DEFAULTS__ if not configured)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:409 msgid "user (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:412 msgid "" "The user to drop the privileges to where appropriate to avoid running as the " "root user. Currently the only supported value is '&sssd_user_name;'." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:419 msgid "" "This option does not work when running socket-activated services, as the " "user set up to run the processes is set up during compilation time. The way " "to override the systemd unit files is by creating the appropriate files in " "/etc/systemd/system/. Keep in mind that any change in the socket user, " "group or permissions may result in a non-usable SSSD. The same may occur in " "case of changes of the user running the NSS responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:433 msgid "Default: not set, process will run as root" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:438 msgid "default_domain_suffix (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:441 msgid "" "This string will be used as a default domain name for all names without a " "domain name component. The main use case is environments where the primary " "domain is intended for managing host policies and all users are located in a " "trusted domain. The option allows those users to log in just with their " "user name without giving a domain name as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:451 msgid "" "Please note that if this option is set all users from the primary domain " "have to use their fully qualified name, e.g. user@domain.name, to log " "in. Setting this option changes default of use_fully_qualified_names to " "True. It is not allowed to use this option together with " "use_fully_qualified_names set to False. <phrase " "condition=\"with_files_provider\"> One exception from this rule are domains " "with <quote>id_provider=files</quote> that always try to match the behaviour " "of nss_files and therefore their output is not qualified even when the " "default_domain_suffix option is used. </phrase>" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:468 sssd-ldap.5.xml:877 sssd-ldap.5.xml:889 #: sssd-ldap.5.xml:982 sssd-ad.5.xml:920 sssd-ad.5.xml:995 sssd-krb5.5.xml:468 #: sssd-ldap-attributes.5.xml:470 sssd-ldap-attributes.5.xml:976 #: include/ldap_id_mapping.xml:211 include/ldap_id_mapping.xml:222 #: include/krb5_options.xml:148 msgid "Default: not set" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:473 msgid "override_space (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:476 msgid "" "This parameter will replace spaces (space bar) with the given character for " "user and group names. e.g. (_). User name "john doe" will be " ""john_doe" This feature was added to help compatibility with shell " "scripts that have difficulty handling spaces, due to the default field " "separator in the shell." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:485 msgid "" "Please note it is a configuration error to use a replacement character that " "might be used in user or group names. If a name contains the replacement " "character SSSD tries to return the unmodified name but in general the result " "of a lookup is undefined." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:493 msgid "Default: not set (spaces will not be replaced)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:498 msgid "certificate_verification (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:506 msgid "no_ocsp" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:508 msgid "" "Disables Online Certificate Status Protocol (OCSP) checks. This might be " "needed if the OCSP servers defined in the certificate are not reachable from " "the client." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:516 msgid "soft_ocsp" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:518 msgid "" "If a connection cannot be established to an OCSP responder the OCSP check is " "skipped. This option should be used to allow authentication when the system " "is offline and the OCSP responder cannot be reached." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:528 msgid "ocsp_dgst" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:530 msgid "" "Digest (hash) function used to create the certificate ID for the OCSP " "request. Allowed values are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:534 msgid "sha1" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:535 msgid "sha256" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:536 msgid "sha384" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:537 msgid "sha512" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:540 msgid "Default: sha1 (to allow compatibility with RFC5019-compliant responder)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:546 msgid "no_verification" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:548 msgid "" "Disables verification completely. This option should only be used for " "testing." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:554 msgid "partial_chain" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:556 msgid "" "Allow verification to succeed even if a <replaceable>complete</replaceable> " "chain cannot be built to a self-signed trust-anchor, provided it is possible " "to construct a chain to a trusted certificate that might not be self-signed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:565 msgid "ocsp_default_responder=URL" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:567 msgid "" "Sets the OCSP default responder which should be used instead of the one " "mentioned in the certificate. URL must be replaced with the URL of the OCSP " "default responder e.g. http://example.com:80/ocsp." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:577 msgid "ocsp_default_responder_signing_cert=NAME" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:579 msgid "" "This option is currently ignored. All needed certificates must be available " "in the PEM file given by pam_cert_db_path." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:587 msgid "crl_file=/PATH/TO/CRL/FILE" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:589 msgid "" "Use the Certificate Revocation List (CRL) from the given file during the " "verification of the certificate. The CRL must be given in PEM format, see " "<citerefentry> <refentrytitle>crl</refentrytitle> " "<manvolnum>1ssl</manvolnum> </citerefentry> for details." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:602 msgid "soft_crl" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:605 msgid "" "If a Certificate Revocation List (CRL) is expired ignore the CRL checks for " "the related certificates. This option should be used to allow authentication " "when the system is offline and the CRL cannot be renewed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:501 msgid "" "With this parameter the certificate verification can be tuned with a comma " "separated list of options. Supported options are: <placeholder " "type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:616 msgid "Unknown options are reported but ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:619 msgid "Default: not set, i.e. do not restrict certificate verification" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:625 msgid "disable_netlink (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:628 msgid "" "SSSD hooks into the netlink interface to monitor changes to routes, " "addresses, links and trigger certain actions." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:633 msgid "" "The SSSD state changes caused by netlink events may be undesirable and can " "be disabled by setting this option to 'true'" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:638 msgid "Default: false (netlink changes are detected)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:643 msgid "enable_files_domain (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:646 msgid "" "When this option is enabled, SSSD prepends an implicit domain with " "<quote>id_provider=files</quote> before any explicitly configured domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:657 msgid "domain_resolution_order" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:660 msgid "" "Comma separated list of domains and subdomains representing the lookup order " "that will be followed. The list doesn't have to include all possible " "domains as the missing domains will be looked up based on the order they're " "presented in the <quote>domains</quote> configuration option. The " "subdomains which are not listed as part of <quote>lookup_order</quote> will " "be looked up in a random order for each parent domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:672 msgid "" "Please, note that when this option is set the output format of all commands " "is always fully-qualified even when using short names for input <phrase " "condition=\"with_files_provider\"> , for all users but the ones managed by " "the files provider </phrase>. In case the administrator wants the output " "not fully-qualified, the full_name_format option can be used as shown below: " "<quote>full_name_format=%1$s</quote> However, keep in mind that during " "login, login applications often canonicalize the username by calling " "<citerefentry> <refentrytitle>getpwnam</refentrytitle> " "<manvolnum>3</manvolnum> </citerefentry> which, if a shortname is returned " "for a qualified input (while trying to reach a user which exists in multiple " "domains) might re-route the login attempt into the domain which uses " "shortnames, making this workaround totally not recommended in cases where " "usernames may overlap between domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:700 sssd.conf.5.xml:1791 sssd.conf.5.xml:4259 #: sssd-ad.5.xml:187 sssd-ad.5.xml:327 sssd-ad.5.xml:341 msgid "Default: Not set" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:705 msgid "implicit_pac_responder (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:708 msgid "" "The PAC responder is enabled automatically for the IPA and AD provider to " "evaluate and check the PAC. If it has to be disabled set this option to " "'false'." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:719 msgid "core_dumpable (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:722 msgid "" "This option can be used for general system hardening: setting it to 'false' " "forbids core dumps for all SSSD processes to avoid leaking plain text " "passwords. See man page prctl:PR_SET_DUMPABLE for details." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:734 msgid "passkey_verification (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:742 msgid "user_verification (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:744 msgid "" "Enable or disable the user verification (i.e. PIN, fingerprint) during " "authentication. If enabled, the PIN will always be requested." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:750 msgid "" "The default is that the key settings decide what to do. In the IPA or " "kerberos pre-authentication case, this value will be overwritten by the " "server." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:737 msgid "" "With this parameter the passkey verification can be tuned with a comma " "separated list of options. Supported options are: <placeholder " "type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd.conf.5.xml:211 msgid "" "Individual pieces of SSSD functionality are provided by special SSSD " "services that are started and stopped together with SSSD. The services are " "managed by a special service frequently called <quote>monitor</quote>. The " "<quote>[sssd]</quote> section is used to configure the monitor as well as " "some other important options like the identity domains. <placeholder " "type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd.conf.5.xml:769 msgid "SERVICES SECTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:771 msgid "" "Settings that can be used to configure different services are described in " "this section. They should reside in the [<replaceable>$NAME</replaceable>] " "section, for example, for NSS service, the section would be " "<quote>[nss]</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd.conf.5.xml:778 msgid "General service configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd.conf.5.xml:780 msgid "These options can be used to configure any service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:797 msgid "fd_limit" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:800 msgid "" "This option specifies the maximum number of file descriptors that may be " "opened at one time by this SSSD process. On systems where SSSD is granted " "the CAP_SYS_RESOURCE capability, this will be an absolute setting. On " "systems without this capability, the resulting value will be the lower value " "of this or the limits.conf \"hard\" limit." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:809 msgid "Default: 8192 (or limits.conf \"hard\" limit)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:814 msgid "client_idle_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:817 msgid "" "This option specifies the number of seconds that a client of an SSSD process " "can hold onto a file descriptor without communicating on it. This value is " "limited in order to avoid resource exhaustion on the system. The timeout " "can't be shorter than 10 seconds. If a lower value is configured, it will be " "adjusted to 10 seconds." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:826 msgid "Default: 60, KCM: 300" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:831 msgid "offline_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:834 msgid "" "When SSSD switches to offline mode the amount of time before it tries to go " "back online will increase based upon the time spent disconnected. By " "default SSSD uses incremental behaviour to calculate delay in between " "retries. So, the wait time for a given retry will be longer than the wait " "time for the previous ones. After each unsuccessful attempt to go online, " "the new interval is recalculated by the following:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:845 sssd.conf.5.xml:901 msgid "" "new_delay = Minimum(old_delay * 2, offline_timeout_max) + " "random[0...offline_timeout_random_offset]" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:848 msgid "" "The offline_timeout default value is 60. The offline_timeout_max default " "value is 3600. The offline_timeout_random_offset default value is 30. The " "end result is amount of seconds before next retry." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:854 msgid "" "Note that the maximum length of each interval is defined by " "offline_timeout_max (apart of random part)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:858 sssd.conf.5.xml:1201 sssd.conf.5.xml:1584 #: sssd.conf.5.xml:1880 sssd-ldap.5.xml:495 msgid "Default: 60" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:863 msgid "offline_timeout_max (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:866 msgid "" "Controls by how much the time between attempts to go online can be " "incremented following unsuccessful attempts to go online." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:871 msgid "A value of 0 disables the incrementing behaviour." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:874 msgid "" "The value of this parameter should be set in correlation to offline_timeout " "parameter value." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:878 msgid "" "With offline_timeout set to 60 (default value) there is no point in setting " "offlinet_timeout_max to less than 120 as it will saturate instantly. General " "rule here should be to set offline_timeout_max to at least 4 times " "offline_timeout." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:884 msgid "" "Although a value between 0 and offline_timeout may be specified, it has the " "effect of overriding the offline_timeout value so is of little use." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:889 msgid "Default: 3600" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:894 msgid "offline_timeout_random_offset (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:897 msgid "" "When SSSD is in offline mode it keeps probing backend servers in specified " "time intervals:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:904 msgid "" "This parameter controls the value of the random offset used for the above " "equation. Final random_offset value will be random number in range:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:909 msgid "[0 - offline_timeout_random_offset]" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:912 msgid "A value of 0 disables the random offset addition." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:915 msgid "Default: 30" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:920 msgid "responder_idle_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:923 msgid "" "This option specifies the number of seconds that an SSSD responder process " "can be up without being used. This value is limited in order to avoid " "resource exhaustion on the system. The minimum acceptable value for this " "option is 60 seconds. Setting this option to 0 (zero) means that no timeout " "will be set up to the responder. This option only has effect when SSSD is " "built with systemd support and when services are either socket or D-Bus " "activated." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:937 sssd.conf.5.xml:1214 sssd.conf.5.xml:2322 #: sssd-ldap.5.xml:332 msgid "Default: 300" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:942 msgid "cache_first" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:945 msgid "" "This option specifies whether the responder should query all caches before " "querying the Data Providers." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd.conf.5.xml:960 msgid "NSS configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd.conf.5.xml:962 msgid "" "These options can be used to configure the Name Service Switch (NSS) " "service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:967 msgid "enum_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:970 msgid "" "How many seconds should nss_sss cache enumerations (requests for info about " "all users)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:974 msgid "Default: 120" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:979 msgid "entry_cache_nowait_percentage (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:982 msgid "" "The entry cache can be set to automatically update entries in the background " "if they are requested beyond a percentage of the entry_cache_timeout value " "for the domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:988 msgid "" "For example, if the domain's entry_cache_timeout is set to 30s and " "entry_cache_nowait_percentage is set to 50 (percent), entries that come in " "after 15 seconds past the last cache update will be returned immediately, " "but the SSSD will go and update the cache on its own, so that future " "requests will not need to block waiting for a cache update." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:998 msgid "" "Valid values for this option are 0-99 and represent a percentage of the " "entry_cache_timeout for each domain. For performance reasons, this " "percentage will never reduce the nowait timeout to less than 10 seconds. (0 " "disables this feature)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1006 sssd.conf.5.xml:2122 msgid "Default: 50" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1011 msgid "entry_negative_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1014 msgid "" "Specifies for how many seconds nss_sss should cache negative cache hits " "(that is, queries for invalid database entries, like nonexistent ones) " "before asking the back end again." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1020 sssd.conf.5.xml:1779 sssd.conf.5.xml:2146 msgid "Default: 15" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1025 msgid "local_negative_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1028 msgid "" "Specifies for how many seconds nss_sss should keep local users and groups in " "negative cache before trying to look it up in the back end again. Setting " "the option to 0 disables this feature." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1034 msgid "Default: 14400 (4 hours)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1039 msgid "filter_users, filter_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1042 msgid "" "Exclude certain users or groups from being fetched from the sss NSS " "database. This is particularly useful for system accounts. This option can " "also be set per-domain or include fully-qualified names to filter only users " "from the particular domain or by a user principal name (UPN)." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1050 msgid "" "NOTE: The filter_groups option doesn't affect inheritance of nested group " "members, since filtering happens after they are propagated for returning via " "NSS. E.g. a group having a member group filtered out will still have the " "member users of the latter listed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1058 msgid "Default: root" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1063 msgid "filter_users_in_groups (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1066 msgid "If you want filtered user still be group members set this option to false." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1077 msgid "fallback_homedir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1080 msgid "" "Set a default template for a user's home directory if one is not specified " "explicitly by the domain's data provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1085 msgid "The available values for this option are the same as for override_homedir." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> #: sssd.conf.5.xml:1091 #, no-wrap msgid "" "fallback_homedir = /home/%u\n" " " msgstr "" #. type: Content of: <varlistentry><listitem><para> #: sssd.conf.5.xml:1089 sssd.conf.5.xml:1651 sssd.conf.5.xml:1670 #: sssd.conf.5.xml:1747 sssd-krb5.5.xml:451 include/override_homedir.xml:66 msgid "example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1095 msgid "Default: not set (no substitution for unset home directories)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1101 msgid "override_shell (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1104 msgid "" "Override the login shell for all users. This option supersedes any other " "shell options if it takes effect and can be set either in the [nss] section " "or per-domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1110 msgid "Default: not set (SSSD will use the value retrieved from LDAP)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1116 msgid "allowed_shells (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1119 msgid "Restrict user shell to one of the listed values. The order of evaluation is:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1122 msgid "1. If the shell is present in <quote>/etc/shells</quote>, it is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1126 msgid "" "2. If the shell is in the allowed_shells list but not in " "<quote>/etc/shells</quote>, use the value of the shell_fallback parameter." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1131 msgid "" "3. If the shell is not in the allowed_shells list and not in " "<quote>/etc/shells</quote>, a nologin shell is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1136 msgid "The wildcard (*) can be used to allow any shell." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1139 msgid "" "The (*) is useful if you want to use shell_fallback in case that user's " "shell is not in <quote>/etc/shells</quote> and maintaining list of all " "allowed shells in allowed_shells would be to much overhead." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1146 msgid "An empty string for shell is passed as-is to libc." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1149 msgid "" "The <quote>/etc/shells</quote> is only read on SSSD start up, which means " "that a restart of the SSSD is required in case a new shell is installed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1153 msgid "Default: Not set. The user shell is automatically used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1158 msgid "vetoed_shells (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1161 msgid "Replace any instance of these shells with the shell_fallback" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1166 msgid "shell_fallback (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1169 msgid "" "The default shell to use if an allowed shell is not installed on the " "machine." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1173 msgid "Default: /bin/sh" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1178 msgid "default_shell" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1181 msgid "" "The default shell to use if the provider does not return one during " "lookup. This option can be specified globally in the [nss] section or " "per-domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1187 msgid "" "Default: not set (Return NULL if no shell is specified and rely on libc to " "substitute something sensible when necessary, usually /bin/sh)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1194 sssd.conf.5.xml:1577 msgid "get_domains_timeout (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1197 sssd.conf.5.xml:1580 msgid "" "Specifies time in seconds for which the list of subdomains will be " "considered valid." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1206 msgid "memcache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1209 msgid "" "Specifies time in seconds for which records in the in-memory cache will be " "valid. Setting this option to zero will disable the in-memory cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1217 msgid "" "WARNING: Disabling the in-memory cache will have significant negative impact " "on SSSD's performance and should only be used for testing." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1223 sssd.conf.5.xml:1248 sssd.conf.5.xml:1273 #: sssd.conf.5.xml:1298 sssd.conf.5.xml:1325 msgid "" "NOTE: If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", " "client applications will not use the fast in-memory cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1231 msgid "memcache_size_passwd (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1234 msgid "" "Size (in megabytes) of the data table allocated inside fast in-memory cache " "for passwd requests. Setting the size to 0 will disable the passwd " "in-memory cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1240 sssd.conf.5.xml:2971 sssd-ldap.5.xml:549 msgid "Default: 8" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1243 sssd.conf.5.xml:1268 sssd.conf.5.xml:1293 #: sssd.conf.5.xml:1320 msgid "" "WARNING: Disabled or too small in-memory cache can have significant negative " "impact on SSSD's performance." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1256 msgid "memcache_size_group (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1259 msgid "" "Size (in megabytes) of the data table allocated inside fast in-memory cache " "for group requests. Setting the size to 0 will disable the group in-memory " "cache." msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1265 sssd.conf.5.xml:1317 sssd.conf.5.xml:3737 #: sssd-ldap.5.xml:474 sssd-ldap.5.xml:526 include/failover.xml:116 #: include/krb5_options.xml:11 msgid "Default: 6" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1281 msgid "memcache_size_initgroups (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1284 msgid "" "Size (in megabytes) of the data table allocated inside fast in-memory cache " "for initgroups requests. Setting the size to 0 will disable the initgroups " "in-memory cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1306 msgid "memcache_size_sid (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1309 msgid "" "Size (in megabytes) of the data table allocated inside fast in-memory cache " "for SID related requests. Only SID-by-ID and ID-by-SID requests are " "currently cached in fast in-memory cache. Setting the size to 0 will " "disable the SID in-memory cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.conf.5.xml:1333 sssd-ifp.5.xml:90 msgid "user_attributes (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1336 msgid "" "Some of the additional NSS responder requests can return more attributes " "than just the POSIX ones defined by the NSS interface. The list of " "attributes is controlled by this option. It is handled the same way as the " "<quote>user_attributes</quote> option of the InfoPipe responder (see " "<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry> for details) but with no default " "values." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1349 msgid "" "To make configuration more easy the NSS responder will check the InfoPipe " "option if it is not set for the NSS responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1354 msgid "Default: not set, fallback to InfoPipe option" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1359 msgid "pwfield (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1362 msgid "" "The value that NSS operations that return users or groups will return for " "the <quote>password</quote> field." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1367 msgid "Default: <quote>*</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1370 msgid "" "Note: This option can also be set per-domain which overwrites the value in " "[nss] section." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1374 msgid "" "Default: <quote>not set</quote> (remote domains), <phrase " "condition=\"with_files_provider\"> <quote>x</quote> (the files domain), " "</phrase> <quote>x</quote> (proxy domain with nss_files and sssd-shadowutils " "target)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd.conf.5.xml:1386 msgid "PAM configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd.conf.5.xml:1388 msgid "" "These options can be used to configure the Pluggable Authentication Module " "(PAM) service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1393 msgid "offline_credentials_expiration (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1396 msgid "" "If the authentication provider is offline, how long should we allow cached " "logins (in days since the last successful online login)." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1401 sssd.conf.5.xml:1414 msgid "Default: 0 (No limit)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1407 msgid "offline_failed_login_attempts (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1410 msgid "" "If the authentication provider is offline, how many failed login attempts " "are allowed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1420 msgid "offline_failed_login_delay (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1423 msgid "" "The time in minutes which has to pass after offline_failed_login_attempts " "has been reached before a new login attempt is possible." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1428 msgid "" "If set to 0 the user cannot authenticate offline if " "offline_failed_login_attempts has been reached. Only a successful online " "authentication can enable offline authentication again." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1434 sssd.conf.5.xml:1544 msgid "Default: 5" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1440 msgid "pam_verbosity (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1443 msgid "" "Controls what kind of messages are shown to the user during " "authentication. The higher the number to more messages are displayed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1448 msgid "Currently sssd supports the following values:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1451 msgid "<emphasis>0</emphasis>: do not show any message" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1454 msgid "<emphasis>1</emphasis>: show only important messages" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1458 msgid "<emphasis>2</emphasis>: show informational messages" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1461 msgid "<emphasis>3</emphasis>: show all messages and debug information" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1465 sssd.8.xml:63 msgid "Default: 1" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1471 msgid "pam_response_filter (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1474 msgid "" "A comma separated list of strings which allows to remove (filter) data sent " "by the PAM responder to pam_sss PAM module. There are different kind of " "responses sent to pam_sss e.g. messages displayed to the user or environment " "variables which should be set by pam_sss." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1482 msgid "" "While messages already can be controlled with the help of the pam_verbosity " "option this option allows to filter out other kind of responses as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:1489 msgid "ENV" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1490 msgid "Do not send any environment variables to any service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:1493 msgid "ENV:var_name" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1494 msgid "Do not send environment variable var_name to any service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:1498 msgid "ENV:var_name:service" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1499 msgid "Do not send environment variable var_name to service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1487 msgid "" "Currently the following filters are supported: <placeholder " "type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1506 msgid "" "The list of strings can either be the list of filters which would set this " "list of filters and overwrite the defaults. Or each element of the list can " "be prefixed by a '+' or '-' character which would add the filter to the " "existing default or remove it from the defaults, respectively. Please note " "that either all list elements must have a '+' or '-' prefix or none. It is " "considered as an error to mix both styles." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1517 msgid "Default: ENV:KRB5CCNAME:sudo, ENV:KRB5CCNAME:sudo-i" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1520 msgid "Example: -ENV:KRB5CCNAME:sudo-i will remove the filter from the default list" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1527 msgid "pam_id_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1530 msgid "" "For any PAM request while SSSD is online, the SSSD will attempt to " "immediately update the cached identity information for the user in order to " "ensure that authentication takes place with the latest information." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1536 msgid "" "A complete PAM conversation may perform multiple PAM requests, such as " "account management and session opening. This option controls (on a " "per-client-application basis) how long (in seconds) we can cache the " "identity information to avoid excessive round-trips to the identity " "provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1550 msgid "pam_pwd_expiration_warning (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1553 sssd.conf.5.xml:2995 msgid "Display a warning N days before the password expires." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1556 msgid "" "Please note that the backend server has to provide information about the " "expiration time of the password. If this information is missing, sssd " "cannot display a warning." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1562 sssd.conf.5.xml:2998 msgid "" "If zero is set, then this filter is not applied, i.e. if the expiration " "warning was received from backend server, it will automatically be " "displayed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1567 msgid "" "This setting can be overridden by setting " "<emphasis>pwd_expiration_warning</emphasis> for a particular domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1572 sssd.conf.5.xml:3984 sssd-ldap.5.xml:607 sssd.8.xml:79 msgid "Default: 0" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1589 msgid "pam_trusted_users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1592 msgid "" "Specifies the comma-separated list of UID values or user names that are " "allowed to run PAM conversations against trusted domains. Users not " "included in this list can only access domains marked as public with " "<quote>pam_public_domains</quote>. User names are resolved to UIDs at " "startup." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1602 msgid "Default: All users are considered trusted by default" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1606 msgid "" "Please note that UID 0 is always allowed to access the PAM responder even in " "case it is not in the pam_trusted_users list." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1613 msgid "pam_public_domains (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1616 msgid "" "Specifies the comma-separated list of domain names that are accessible even " "to untrusted users." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1620 msgid "Two special values for pam_public_domains option are defined:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1624 msgid "all (Untrusted users are allowed to access all domains in PAM responder.)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1628 msgid "" "none (Untrusted users are not allowed to access any domains PAM in " "responder.)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1632 sssd.conf.5.xml:1657 sssd.conf.5.xml:1676 #: sssd.conf.5.xml:1913 sssd.conf.5.xml:2733 sssd.conf.5.xml:3913 #: sssd-ldap.5.xml:1209 msgid "Default: none" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1637 msgid "pam_account_expired_message (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1640 msgid "" "Allows a custom expiration message to be set, replacing the default " "'Permission denied' message." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1645 msgid "" "Note: Please be aware that message is only printed for the SSH service " "unless pam_verbosity is set to 3 (show all messages and debug information)." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> #: sssd.conf.5.xml:1653 #, no-wrap msgid "" "pam_account_expired_message = Account expired, please contact help desk.\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1662 msgid "pam_account_locked_message (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1665 msgid "" "Allows a custom lockout message to be set, replacing the default 'Permission " "denied' message." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> #: sssd.conf.5.xml:1672 #, no-wrap msgid "" "pam_account_locked_message = Account locked, please contact help desk.\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1681 msgid "pam_passkey_auth (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1684 msgid "Enable passkey device based authentication." msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1687 sssd.conf.5.xml:1698 sssd.conf.5.xml:1712 #: sssd-ldap.5.xml:672 sssd-ldap.5.xml:693 sssd-ldap.5.xml:789 #: sssd-ldap.5.xml:1295 sssd-ad.5.xml:505 sssd-ad.5.xml:581 sssd-ad.5.xml:1126 #: sssd-ad.5.xml:1175 include/ldap_id_mapping.xml:250 msgid "Default: False" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1692 msgid "passkey_debug_libfido2 (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1695 msgid "Enable libfido2 library debug messages." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1703 msgid "pam_cert_auth (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1706 msgid "" "Enable certificate based Smartcard authentication. Since this requires " "additional communication with the Smartcard which will delay the " "authentication process this option is disabled by default." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1717 msgid "pam_cert_db_path (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1720 msgid "The path to the certificate database." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1723 sssd.conf.5.xml:2248 sssd.conf.5.xml:4373 msgid "Default:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:1725 sssd.conf.5.xml:2250 msgid "" "/etc/sssd/pki/sssd_auth_ca_db.pem (path to a file with trusted CA " "certificates in PEM format)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1735 msgid "pam_cert_verification (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1738 msgid "" "With this parameter the PAM certificate verification can be tuned with a " "comma separated list of options that override the " "<quote>certificate_verification</quote> value in <quote>[sssd]</quote> " "section. Supported options are the same of " "<quote>certificate_verification</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> #: sssd.conf.5.xml:1749 #, no-wrap msgid "" "pam_cert_verification = partial_chain\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1753 msgid "" "Default: not set, i.e. use default <quote>certificate_verification</quote> " "option defined in <quote>[sssd]</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1760 msgid "p11_child_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1763 msgid "How many seconds will pam_sss wait for p11_child to finish." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1772 msgid "passkey_child_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1775 msgid "How many seconds will the PAM responder wait for passkey_child to finish." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1784 msgid "pam_app_services (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1787 msgid "" "Which PAM services are permitted to contact domains of type " "<quote>application</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1796 msgid "pam_p11_allowed_services (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1799 msgid "" "A comma-separated list of PAM service names for which it will be allowed to " "use Smartcards." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> #: sssd.conf.5.xml:1814 #, no-wrap msgid "" "pam_p11_allowed_services = +my_pam_service, -login\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1803 msgid "" "It is possible to add another PAM service name to the default set by using " "<quote>+service_name</quote> or to explicitly remove a PAM service name from " "the default set by using <quote>-service_name</quote>. For example, in order " "to replace a default PAM service name for authentication with Smartcards " "(e.g. <quote>login</quote>) with a custom PAM service name " "(e.g. <quote>my_pam_service</quote>), you would use the following " "configuration: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1818 sssd-ad.5.xml:644 sssd-ad.5.xml:753 sssd-ad.5.xml:811 #: sssd-ad.5.xml:869 sssd-ad.5.xml:947 msgid "Default: the default set of PAM service names includes:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:1823 sssd-ad.5.xml:648 msgid "login" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:1828 sssd-ad.5.xml:653 msgid "su" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:1833 sssd-ad.5.xml:658 msgid "su-l" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:1838 sssd-ad.5.xml:673 msgid "gdm-smartcard" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:1843 sssd-ad.5.xml:668 msgid "gdm-password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:1848 sssd-ad.5.xml:678 msgid "kdm" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:1853 sssd-ad.5.xml:956 msgid "sudo" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:1858 sssd-ad.5.xml:961 msgid "sudo-i" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:1863 msgid "gnome-screensaver" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1871 msgid "p11_wait_for_card_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1874 msgid "" "If Smartcard authentication is required how many extra seconds in addition " "to p11_child_timeout should the PAM responder wait until a Smartcard is " "inserted." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1885 msgid "p11_uri (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1888 msgid "" "PKCS#11 URI (see RFC-7512 for details) which can be used to restrict the " "selection of devices used for Smartcard authentication. By default SSSD's " "p11_child will search for a PKCS#11 slot (reader) where the 'removable' " "flags is set and read the certificates from the inserted token from the " "first slot found. If multiple readers are connected p11_uri can be used to " "tell p11_child to use a specific reader." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> #: sssd.conf.5.xml:1901 #, no-wrap msgid "" "p11_uri = pkcs11:slot-description=My%20Smartcard%20Reader\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> #: sssd.conf.5.xml:1905 #, no-wrap msgid "" "p11_uri = " "pkcs11:library-description=OpenSC%20smartcard%20framework;slot-id=2\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1899 msgid "" "Example: <placeholder type=\"programlisting\" id=\"0\"/> or <placeholder " "type=\"programlisting\" id=\"1\"/> To find suitable URI please check the " "debug output of p11_child. As an alternative the GnuTLS utility 'p11tool' " "with e.g. the '--list-all' will show PKCS#11 URIs as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:1918 msgid "pam_initgroups_scheme" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:1926 msgid "always" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1927 msgid "Always do an online lookup, please note that pam_id_timeout still applies" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:1931 msgid "no_session" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1932 msgid "" "Only do an online lookup if there is no active session of the user, i.e. if " "the user is currently not logged in" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:1937 msgid "never" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1938 msgid "" "Never force an online lookup, use the data from the cache as long as they " "are not expired" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1921 msgid "" "The PAM responder can force an online lookup to get the current group " "memberships of the user trying to log in. This option controls when this " "should be done and the following values are allowed: <placeholder " "type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1945 msgid "Default: no_session" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:1950 sssd.conf.5.xml:4312 msgid "pam_gssapi_services" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1953 msgid "" "Comma separated list of PAM services that are allowed to try GSSAPI " "authentication using pam_sss_gss.so module." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1958 msgid "" "To disable GSSAPI authentication, set this option to <quote>-</quote> " "(dash)." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1962 sssd.conf.5.xml:1993 sssd.conf.5.xml:2031 msgid "" "Note: This option can also be set per-domain which overwrites the value in " "[pam] section. It can also be set for trusted domain which overwrites the " "value in the domain section." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> #: sssd.conf.5.xml:1970 #, no-wrap msgid "" "pam_gssapi_services = sudo, sudo-i\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1968 sssd.conf.5.xml:3907 msgid "Example: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1974 msgid "Default: - (GSSAPI authentication is disabled)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:1979 sssd.conf.5.xml:4313 msgid "pam_gssapi_check_upn" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1982 msgid "" "If True, SSSD will require that the Kerberos user principal that " "successfully authenticated through GSSAPI can be associated with the user " "who is being authenticated. Authentication will fail if the check fails." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1989 msgid "" "If False, every user that is able to obtained required service ticket will " "be authenticated." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:1999 sssd-ad.5.xml:1271 sss_rpcidmapd.5.xml:76 #: sssd-files.5.xml:145 msgid "Default: True" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:2004 msgid "pam_gssapi_indicators_map" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2007 msgid "" "Comma separated list of authentication indicators required to be present in " "a Kerberos ticket to access a PAM service that is allowed to try GSSAPI " "authentication using pam_sss_gss.so module." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2013 msgid "" "Each element of the list can be either an authentication indicator name or a " "pair <quote>service:indicator</quote>. Indicators not prefixed with the PAM " "service name will be required to access any PAM service configured to be " "used with <option>pam_gssapi_services</option>. A resulting list of " "indicators per PAM service is then checked against indicators in the " "Kerberos ticket during authentication by pam_sss_gss.so. Any indicator from " "the ticket that matches the resulting list of indicators for the PAM service " "would grant access. If none of the indicators in the list match, access will " "be denied. If the resulting list of indicators for the PAM service is empty, " "the check will not prevent the access." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2026 msgid "" "To disable GSSAPI authentication indicator check, set this option to " "<quote>-</quote> (dash). To disable the check for a specific PAM service, " "add <quote>service:-</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2037 msgid "" "Following authentication indicators are supported by IPA Kerberos " "deployments:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:2040 msgid "" "pkinit -- pre-authentication using X.509 certificates -- whether stored in " "files or on smart cards." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:2043 msgid "" "hardened -- SPAKE pre-authentication or any pre-authentication wrapped in a " "FAST channel." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:2046 msgid "radius -- pre-authentication with the help of a RADIUS server." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:2049 msgid "" "otp -- pre-authentication using integrated two-factor authentication (2FA or " "one-time password, OTP) in IPA." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:2052 msgid "idp -- pre-authentication using external identity provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><programlisting> #: sssd.conf.5.xml:2062 #, no-wrap msgid "" "pam_gssapi_indicators_map = sudo:pkinit, sudo-i:pkinit\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2057 msgid "" "Example: to require access to SUDO services only for users which obtained " "their Kerberos tickets with a X.509 certificate pre-authentication (PKINIT), " "set <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2066 msgid "Default: not set (use of authentication indicators is not required)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd.conf.5.xml:2074 msgid "SUDO configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd.conf.5.xml:2076 msgid "" "These options can be used to configure the sudo service. The detailed " "instructions for configuration of <citerefentry> " "<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " "to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " "<manvolnum>8</manvolnum> </citerefentry> are in the manual page " "<citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:2093 msgid "sudo_timed (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2096 msgid "" "Whether or not to evaluate the sudoNotBefore and sudoNotAfter attributes " "that implement time-dependent sudoers entries." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:2108 msgid "sudo_threshold (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2111 msgid "" "Maximum number of expired rules that can be refreshed at once. If number of " "expired rules is below threshold, those rules are refreshed with " "<quote>rules refresh</quote> mechanism. If the threshold is exceeded a " "<quote>full refresh</quote> of sudo rules is triggered instead. This " "threshold number also applies to IPA sudo command and command group " "searches." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd.conf.5.xml:2130 msgid "AUTOFS configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd.conf.5.xml:2132 msgid "These options can be used to configure the autofs service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:2136 msgid "autofs_negative_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2139 msgid "" "Specifies for how many seconds should the autofs responder negative cache " "hits (that is, queries for invalid map entries, like nonexistent ones) " "before asking the back end again." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd.conf.5.xml:2155 msgid "SSH configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd.conf.5.xml:2157 msgid "These options can be used to configure the SSH service." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:2161 msgid "ssh_hash_known_hosts (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2164 msgid "" "Whether or not to hash host names and addresses in the managed known_hosts " "file." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:2173 msgid "ssh_known_hosts_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2176 msgid "" "How many seconds to keep a host in the managed known_hosts file after its " "host keys were requested." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2180 msgid "Default: 180" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:2185 msgid "ssh_use_certificate_keys (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2188 msgid "" "If set to true the <command>sss_ssh_authorizedkeys</command> will return ssh " "keys derived from the public key of X.509 certificates stored in the user " "entry as well. See <citerefentry> " "<refentrytitle>sss_ssh_authorizedkeys</refentrytitle> " "<manvolnum>1</manvolnum> </citerefentry> for details." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:2203 msgid "ssh_use_certificate_matching_rules (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2206 msgid "" "By default the ssh responder will use all available certificate matching " "rules to filter the certificates so that ssh keys are only derived from the " "matching ones. With this option the used rules can be restricted with a " "comma separated list of mapping and matching rule names. All other rules " "will be ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2215 msgid "" "There are two special key words 'all_rules' and 'no_rules' which will enable " "all or no rules, respectively. The latter means that no certificates will be " "filtered out and ssh keys will be generated from all valid certificates." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2222 msgid "" "If no rules are configured using 'all_rules' will enable a default rule " "which enables all certificates suitable for client authentication. This is " "the same behavior as for the PAM responder if certificate authentication is " "enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2229 msgid "" "A non-existing rule name is considered an error. If as a result no rule is " "selected all certificates will be ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2234 msgid "" "Default: not set, equivalent to 'all_rules', all found rules or the default " "rule are used" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:2240 msgid "ca_db (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2243 msgid "" "Path to a storage of trusted CA certificates. The option is used to validate " "user certificates before deriving public ssh keys from them." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd.conf.5.xml:2263 msgid "PAC responder configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd.conf.5.xml:2265 msgid "" "The PAC responder works together with the authorization data plugin for MIT " "Kerberos sssd_pac_plugin.so and a sub-domain provider. The plugin sends the " "PAC data during a GSSAPI authentication to the PAC responder. The sub-domain " "provider collects domain SID and ID ranges of the domain the client is " "joined to and of remote trusted domains from the local domain controller. If " "the PAC is decoded and evaluated some of the following operations are done:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:2274 msgid "" "If the remote user does not exist in the cache, it is created. The UID is " "determined with the help of the SID, trusted domains will have UPGs and the " "GID will have the same value as the UID. The home directory is set based on " "the subdomain_homedir parameter. The shell will be empty by default, " "i.e. the system defaults are used, but can be overwritten with the " "default_shell parameter." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:2282 msgid "" "If there are SIDs of groups from domains sssd knows about, the user will be " "added to those groups." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd.conf.5.xml:2288 msgid "These options can be used to configure the PAC responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.conf.5.xml:2292 sssd-ifp.5.xml:66 msgid "allowed_uids (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2295 msgid "" "Specifies the comma-separated list of UID values or user names that are " "allowed to access the PAC responder. User names are resolved to UIDs at " "startup." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2301 msgid "Default: 0 (only the root user is allowed to access the PAC responder)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2305 msgid "" "Please note that although the UID 0 is used as the default it will be " "overwritten with this option. If you still want to allow the root user to " "access the PAC responder, which would be the typical case, you have to add 0 " "to the list of allowed UIDs as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:2314 msgid "pac_lifetime (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2317 msgid "" "Lifetime of the PAC entry in seconds. As long as the PAC is valid the PAC " "data can be used to determine the group memberships of a user." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:2327 msgid "pac_check (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2330 msgid "" "Apply additional checks on the PAC of the Kerberos ticket which is available " "in Active Directory and FreeIPA domains, if configured. Please note that " "Kerberos ticket validation must be enabled to be able to check the PAC, " "i.e. the krb5_validate option must be set to 'True' which is the default for " "the IPA and AD provider. If krb5_validate is set to 'False' the PAC checks " "will be skipped." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2344 msgid "no_check" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2346 msgid "" "The PAC must not be present and even if it is present no additional checks " "will be done." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2352 msgid "pac_present" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2354 msgid "" "The PAC must be present in the service ticket which SSSD will request with " "the help of the user's TGT. If the PAC is not available the authentication " "will fail." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2362 msgid "check_upn" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2364 msgid "" "If the PAC is present check if the user principal name (UPN) information is " "consistent." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2370 msgid "check_upn_allow_missing" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2372 msgid "" "This option should be used together with 'check_upn' and handles the case " "where a UPN is set on the server-side but is not read by SSSD. The typical " "example is a FreeIPA domain where 'ldap_user_principal' is set to a not " "existing attribute name. This was typically done to work-around issues in " "the handling of enterprise principals. But this is fixed since quite some " "time and FreeIPA can handle enterprise principals just fine and there is no " "need anymore to set 'ldap_user_principal'." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2384 msgid "" "Currently this option is set by default to avoid regressions in such " "environments. A log message will be added to the system log and SSSD's debug " "log in case a UPN is found in the PAC but not in SSSD's cache. To avoid this " "log message it would be best to evaluate if the 'ldap_user_principal' option " "can be removed. If this is not possible, removing 'check_upn' will skip the " "test and avoid the log message." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2398 msgid "upn_dns_info_present" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2400 msgid "The PAC must contain the UPN-DNS-INFO buffer, implies 'check_upn'." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2405 msgid "check_upn_dns_info_ex" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2407 msgid "" "If the PAC is present and the extension to the UPN-DNS-INFO buffer is " "available check if the information in the extension is consistent." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2414 msgid "upn_dns_info_ex_present" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2416 msgid "" "The PAC must contain the extension of the UPN-DNS-INFO buffer, implies " "'check_upn_dns_info_ex', 'upn_dns_info_present' and 'check_upn'." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2340 msgid "" "The following options can be used alone or in a comma-separated list: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2426 msgid "" "Default: no_check (AD and IPA provider 'check_upn, check_upn_allow_missing, " "check_upn_dns_info_ex')" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd.conf.5.xml:2435 msgid "Session recording configuration options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd.conf.5.xml:2437 msgid "" "Session recording works in conjunction with <citerefentry> " "<refentrytitle>tlog-rec-session</refentrytitle> <manvolnum>8</manvolnum> " "</citerefentry>, a part of tlog package, to log what users see and type when " "they log in on a text terminal. See also <citerefentry> " "<refentrytitle>sssd-session-recording</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd.conf.5.xml:2450 msgid "These options can be used to configure session recording." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.conf.5.xml:2454 sssd-session-recording.5.xml:64 msgid "scope (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2461 sssd-session-recording.5.xml:71 msgid "\"none\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2464 sssd-session-recording.5.xml:74 msgid "No users are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2469 sssd-session-recording.5.xml:79 msgid "\"some\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2472 sssd-session-recording.5.xml:82 msgid "" "Users/groups specified by <replaceable>users</replaceable> and " "<replaceable>groups</replaceable> options are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2481 sssd-session-recording.5.xml:91 msgid "\"all\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2484 sssd-session-recording.5.xml:94 msgid "All users are recorded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2457 sssd-session-recording.5.xml:67 msgid "" "One of the following strings specifying the scope of session recording: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2491 sssd-session-recording.5.xml:101 msgid "Default: \"none\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.conf.5.xml:2496 sssd-session-recording.5.xml:106 msgid "users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2499 sssd-session-recording.5.xml:109 msgid "" "A comma-separated list of users which should have session recording " "enabled. Matches user names as returned by NSS. I.e. after the possible " "space replacement, case changes, etc." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2505 sssd-session-recording.5.xml:115 msgid "Default: Empty. Matches no users." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.conf.5.xml:2510 sssd-session-recording.5.xml:120 msgid "groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2513 sssd-session-recording.5.xml:123 msgid "" "A comma-separated list of groups, members of which should have session " "recording enabled. Matches group names as returned by NSS. I.e. after the " "possible space replacement, case changes, etc." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2519 sssd.conf.5.xml:2551 sssd-session-recording.5.xml:129 #: sssd-session-recording.5.xml:161 msgid "" "NOTE: using this option (having it set to anything) has a considerable " "performance cost, because each uncached request for a user requires " "retrieving and matching the groups the user is member of." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2526 sssd-session-recording.5.xml:136 msgid "Default: Empty. Matches no groups." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.conf.5.xml:2531 sssd-session-recording.5.xml:141 msgid "exclude_users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2534 sssd-session-recording.5.xml:144 msgid "" "A comma-separated list of users to be excluded from recording, only " "applicable with 'scope=all'." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2538 sssd-session-recording.5.xml:148 msgid "Default: Empty. No users excluded." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.conf.5.xml:2543 sssd-session-recording.5.xml:153 msgid "exclude_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2546 sssd-session-recording.5.xml:156 msgid "" "A comma-separated list of groups, members of which should be excluded from " "recording. Only applicable with 'scope=all'." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2558 sssd-session-recording.5.xml:168 msgid "Default: Empty. No groups excluded." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd.conf.5.xml:2568 msgid "DOMAIN SECTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2575 msgid "enabled" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2578 msgid "" "Explicitly enable or disable the domain. If <quote>true</quote>, the domain " "is always <quote>enabled</quote>. If <quote>false</quote>, the domain is " "always <quote>disabled</quote>. If this option is not set, the domain is " "enabled only if it is listed in the domains option in the " "<quote>[sssd]</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2590 msgid "domain_type (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2593 msgid "" "Specifies whether the domain is meant to be used by POSIX-aware clients such " "as the Name Service Switch or by applications that do not need POSIX data to " "be present or generated. Only objects from POSIX domains are available to " "the operating system interfaces and utilities." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2601 msgid "" "Allowed values for this option are <quote>posix</quote> and " "<quote>application</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2605 msgid "" "POSIX domains are reachable by all services. Application domains are only " "reachable from the InfoPipe responder (see <citerefentry> " "<refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry>) and the PAM responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2613 msgid "" "NOTE: The application domains are currently well tested with " "<quote>id_provider=ldap</quote> only." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2617 msgid "" "For an easy way to configure a non-POSIX domains, please see the " "<quote>Application domains</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2621 msgid "Default: posix" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2627 msgid "min_id,max_id (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2630 msgid "" "UID and GID limits for the domain. If a domain contains an entry that is " "outside these limits, it is ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2635 msgid "" "For users, this affects the primary GID limit. The user will not be returned " "to NSS if either the UID or the primary GID is outside the range. For " "non-primary group memberships, those that are in range will be reported as " "expected." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2642 msgid "" "These ID limits affect even saving entries to cache, not only returning them " "by name or ID." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2646 msgid "Default: 1 for min_id, 0 (no limit) for max_id" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2652 msgid "enumerate (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2655 msgid "" "Determines if a domain can be enumerated, that is, whether the domain can " "list all the users and group it contains. Note that it is not required to " "enable enumeration in order for secondary groups to be displayed. This " "parameter can have one of the following values:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2663 msgid "TRUE = Users and groups are enumerated" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2666 msgid "FALSE = No enumerations for this domain" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2669 sssd.conf.5.xml:2950 sssd.conf.5.xml:3127 msgid "Default: FALSE" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2672 msgid "" "Enumerating a domain requires SSSD to download and store ALL user and group " "entries from the remote server." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2677 msgid "" "Note: Enabling enumeration has a moderate performance impact on SSSD while " "enumeration is running. It may take up to several minutes after SSSD startup " "to fully complete enumerations. During this time, individual requests for " "information will go directly to LDAP, though it may be slow, due to the " "heavy enumeration processing. Saving a large number of entries to cache " "after the enumeration completes might also be CPU intensive as the " "memberships have to be recomputed. This can lead to the " "<quote>sssd_be</quote> process becoming unresponsive or even restarted by " "the internal watchdog." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2692 msgid "" "While the first enumeration is running, requests for the complete user or " "group lists may return no results until it completes." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2697 msgid "" "Further, enabling enumeration may increase the time necessary to detect " "network disconnection, as longer timeouts are required to ensure that " "enumeration lookups are completed successfully. For more information, refer " "to the man pages for the specific id_provider in use." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2705 msgid "" "For the reasons cited above, enabling enumeration is not recommended, " "especially in large environments." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2713 msgid "subdomain_enumerate (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2720 msgid "all" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2721 msgid "All discovered trusted domains will be enumerated" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2724 msgid "none" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2725 msgid "No discovered trusted domains will be enumerated" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2716 msgid "" "Whether any of autodetected trusted domains should be enumerated. The " "supported values are: <placeholder type=\"variablelist\" id=\"0\"/> " "Optionally, a list of one or more domain names can enable enumeration just " "for these trusted domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2739 msgid "entry_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2742 msgid "" "How many seconds should nss_sss consider entries valid before asking the " "backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2746 msgid "" "The cache expiration timestamps are stored as attributes of individual " "objects in the cache. Therefore, changing the cache timeout only has effect " "for newly added or expired entries. You should run the <citerefentry> " "<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> " "</citerefentry> tool in order to force refresh of entries that have already " "been cached." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2759 msgid "Default: 5400" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2765 msgid "entry_cache_user_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2768 msgid "" "How many seconds should nss_sss consider user entries valid before asking " "the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2772 sssd.conf.5.xml:2785 sssd.conf.5.xml:2798 #: sssd.conf.5.xml:2811 sssd.conf.5.xml:2825 sssd.conf.5.xml:2838 #: sssd.conf.5.xml:2852 sssd.conf.5.xml:2866 sssd.conf.5.xml:2879 msgid "Default: entry_cache_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2778 msgid "entry_cache_group_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2781 msgid "" "How many seconds should nss_sss consider group entries valid before asking " "the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2791 msgid "entry_cache_netgroup_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2794 msgid "" "How many seconds should nss_sss consider netgroup entries valid before " "asking the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2804 msgid "entry_cache_service_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2807 msgid "" "How many seconds should nss_sss consider service entries valid before asking " "the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2817 msgid "entry_cache_resolver_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2820 msgid "" "How many seconds should nss_sss consider hosts and networks entries valid " "before asking the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2831 msgid "entry_cache_sudo_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2834 msgid "" "How many seconds should sudo consider rules valid before asking the backend " "again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2844 msgid "entry_cache_autofs_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2847 msgid "" "How many seconds should the autofs service consider automounter maps valid " "before asking the backend again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2858 msgid "entry_cache_ssh_host_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2861 msgid "" "How many seconds to keep a host ssh key after refresh. IE how long to cache " "the host key for." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2872 msgid "entry_cache_computer_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2875 msgid "" "How many seconds to keep the local computer entry before asking the backend " "again" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2885 msgid "refresh_expired_interval (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2888 msgid "" "Specifies how many seconds SSSD has to wait before triggering a background " "refresh task which will refresh all expired or nearly expired records." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2893 msgid "" "The background refresh will process users, groups and netgroups in the " "cache. For users who have performed the initgroups (get group membership for " "user, typically ran at login) operation in the past, both the user entry " "and the group membership are updated." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2901 msgid "This option is automatically inherited for all trusted domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2905 msgid "You can consider setting this value to 3/4 * entry_cache_timeout." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2909 msgid "" "Cache entry will be refreshed by background task when 2/3 of cache timeout " "has already passed. If there are existing cached entries, the background " "task will refer to their original cache timeout values instead of current " "configuration value. This may lead to a situation in which background " "refresh task appears to not be working. This is done by design to improve " "offline mode operation and reuse of existing valid cache entries. To make " "this change instant the user may want to manually invalidate existing cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2922 sssd-ldap.5.xml:361 sssd-ldap.5.xml:1738 #: sssd-ipa.5.xml:270 msgid "Default: 0 (disabled)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2928 msgid "cache_credentials (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2931 msgid "" "Determines if user credentials are also cached in the local LDB cache. The " "cached credentials refer to passwords, which includes the first (long term) " "factor of two-factor authentication, not other authentication " "mechanisms. Passkey and Smartcard authentications are expected to work " "offline as long as a successful online authentication is recorded in the " "cache without additional configuration." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2942 msgid "" "Take a note that while credentials are stored as a salted SHA512 hash, this " "still potentially poses some security risk in case an attacker manages to " "get access to a cache file (normally requires privileged access) and to " "break a password using brute force attack." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2956 msgid "cache_credentials_minimal_first_factor_length (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2959 msgid "" "If 2-Factor-Authentication (2FA) is used and credentials should be saved " "this value determines the minimal length the first authentication factor " "(long term password) must have to be saved as SHA512 hash into the cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2966 msgid "" "This should avoid that the short PINs of a PIN based 2FA scheme are saved in " "the cache which would make them easy targets for brute-force attacks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2977 msgid "account_cache_expiration (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2980 msgid "" "Number of days entries are left in cache after last successful login before " "being removed during a cleanup of the cache. 0 means keep forever. The " "value of this parameter must be greater than or equal to " "offline_credentials_expiration." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:2987 msgid "Default: 0 (unlimited)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:2992 msgid "pwd_expiration_warning (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3003 msgid "" "Please note that the backend server has to provide information about the " "expiration time of the password. If this information is missing, sssd " "cannot display a warning. Also an auth provider has to be configured for the " "backend." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3010 msgid "Default: 7 (Kerberos), 0 (LDAP)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3016 msgid "id_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3019 msgid "" "The identification provider used for the domain. Supported ID providers " "are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3023 msgid "<quote>proxy</quote>: Support a legacy NSS provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3026 msgid "" "<quote>files</quote>: FILES provider. See <citerefentry> " "<refentrytitle>sssd-files</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry> for more information on how to mirror local users and groups " "into SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3034 msgid "" "<quote>ldap</quote>: LDAP provider. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry> for more information on configuring LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3042 sssd.conf.5.xml:3153 sssd.conf.5.xml:3204 #: sssd.conf.5.xml:3267 msgid "" "<quote>ipa</quote>: FreeIPA and Red Hat Identity Management provider. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " "FreeIPA." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3051 sssd.conf.5.xml:3162 sssd.conf.5.xml:3213 #: sssd.conf.5.xml:3276 msgid "" "<quote>ad</quote>: Active Directory provider. See <citerefentry> " "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry> for more information on configuring Active Directory." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3062 msgid "use_fully_qualified_names (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3065 msgid "" "Use the full name and domain (as formatted by the domain's full_name_format) " "as the user's login name reported to NSS." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3070 msgid "" "If set to TRUE, all requests to this domain must use fully qualified " "names. For example, if used in LOCAL domain that contains a \"test\" user, " "<command>getent passwd test</command> wouldn't find the user while " "<command>getent passwd test@LOCAL</command> would." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3078 msgid "" "NOTE: This option has no effect on netgroup lookups due to their tendency to " "include nested netgroups without qualified names. For netgroups, all domains " "will be searched when an unqualified name is requested." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3085 msgid "" "Default: FALSE (TRUE for trusted domain/sub-domains or if " "default_domain_suffix is used)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3092 msgid "ignore_group_members (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3095 msgid "Do not return group members for group lookups." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3098 msgid "" "If set to TRUE, the group membership attribute is not requested from the " "ldap server, and group members are not returned when processing group lookup " "calls, such as <citerefentry> <refentrytitle>getgrnam</refentrytitle> " "<manvolnum>3</manvolnum> </citerefentry> or <citerefentry> " "<refentrytitle>getgrgid</refentrytitle> <manvolnum>3</manvolnum> " "</citerefentry>. As an effect, <quote>getent group $groupname</quote> would " "return the requested group as if it was empty." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3116 msgid "" "Enabling this option can also make access provider checks for group " "membership significantly faster, especially for groups containing many " "members." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3122 sssd.conf.5.xml:3829 sssd-ldap.5.xml:327 #: sssd-ldap.5.xml:356 sssd-ldap.5.xml:409 sssd-ldap.5.xml:469 #: sssd-ldap.5.xml:490 sssd-ldap.5.xml:521 sssd-ldap.5.xml:544 #: sssd-ldap.5.xml:583 sssd-ldap.5.xml:602 sssd-ldap.5.xml:626 #: sssd-ldap.5.xml:1053 sssd-ldap.5.xml:1086 msgid "" "This option can be also set per subdomain or inherited via " "<emphasis>subdomain_inherit</emphasis>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3132 msgid "auth_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3135 msgid "" "The authentication provider used for the domain. Supported auth providers " "are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3139 sssd.conf.5.xml:3197 msgid "" "<quote>ldap</quote> for native LDAP authentication. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry> for more information on configuring LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3146 msgid "" "<quote>krb5</quote> for Kerberos authentication. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry> for more information on configuring Kerberos." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3170 msgid "<quote>proxy</quote> for relaying authentication to some other PAM target." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3173 msgid "<quote>none</quote> disables authentication explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3176 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can handle " "authentication requests." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3182 msgid "access_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3185 msgid "" "The access control provider used for the domain. There are two built-in " "access providers (in addition to any included in installed backends) " "Internal special providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3191 msgid "" "<quote>permit</quote> always allow access. It's the only permitted access " "provider for a local domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3194 msgid "<quote>deny</quote> always deny access." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3221 msgid "" "<quote>simple</quote> access control based on access or deny lists. See " "<citerefentry> <refentrytitle>sssd-simple</refentrytitle> " "<manvolnum>5</manvolnum></citerefentry> for more information on configuring " "the simple access module." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3228 msgid "" "<quote>krb5</quote>: .k5login based access control. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> " "<manvolnum>5</manvolnum></citerefentry> for more information on configuring " "Kerberos." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3235 msgid "<quote>proxy</quote> for relaying access control to another PAM module." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3238 msgid "Default: <quote>permit</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3243 msgid "chpass_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3246 msgid "" "The provider which should handle change password operations for the domain. " "Supported change password providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3251 msgid "" "<quote>ldap</quote> to change a password stored in a LDAP server. See " "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " "LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3259 msgid "" "<quote>krb5</quote> to change the Kerberos password. See <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry> for more information on configuring Kerberos." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3284 msgid "<quote>proxy</quote> for relaying password changes to some other PAM target." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3288 msgid "<quote>none</quote> disallows password changes explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3291 msgid "" "Default: <quote>auth_provider</quote> is used if it is set and can handle " "change password requests." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3298 msgid "sudo_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3301 msgid "The SUDO provider used for the domain. Supported SUDO providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3305 msgid "" "<quote>ldap</quote> for rules stored in LDAP. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry> for more information on configuring LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3313 msgid "" "<quote>ipa</quote> the same as <quote>ldap</quote> but with IPA default " "settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3317 msgid "" "<quote>ad</quote> the same as <quote>ldap</quote> but with AD default " "settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3321 msgid "<quote>none</quote> disables SUDO explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3324 sssd.conf.5.xml:3410 sssd.conf.5.xml:3480 #: sssd.conf.5.xml:3505 sssd.conf.5.xml:3541 msgid "Default: The value of <quote>id_provider</quote> is used if it is set." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3328 msgid "" "The detailed instructions for configuration of sudo_provider are in the " "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry>. There are many configuration " "options that can be used to adjust the behavior. Please refer to " "\"ldap_sudo_*\" in <citerefentry> <refentrytitle>sssd-ldap</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3343 msgid "" "<emphasis>NOTE:</emphasis> Sudo rules are periodically downloaded in the " "background unless the sudo provider is explicitly disabled. Set " "<emphasis>sudo_provider = None</emphasis> to disable all sudo-related " "activity in SSSD if you do not want to use sudo with SSSD at all." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3353 msgid "selinux_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3356 msgid "" "The provider which should handle loading of selinux settings. Note that this " "provider will be called right after access provider ends. Supported selinux " "providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3362 msgid "" "<quote>ipa</quote> to load selinux settings from an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " "IPA." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3370 msgid "<quote>none</quote> disallows fetching selinux settings explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3373 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can handle " "selinux loading requests." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3379 msgid "subdomains_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3382 msgid "" "The provider which should handle fetching of subdomains. This value should " "be always the same as id_provider. Supported subdomain providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3388 msgid "" "<quote>ipa</quote> to load a list of subdomains from an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " "IPA." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3397 msgid "" "<quote>ad</quote> to load a list of subdomains from an Active Directory " "server. See <citerefentry> <refentrytitle>sssd-ad</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " "the AD provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3406 msgid "<quote>none</quote> disallows fetching subdomains explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3416 msgid "session_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3419 msgid "" "The provider which configures and manages user session related tasks. The " "only user session task currently provided is the integration with Fleet " "Commander, which works only with IPA. Supported session providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3426 msgid "<quote>ipa</quote> to allow performing user session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3430 msgid "<quote>none</quote> does not perform any kind of user session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3434 msgid "" "Default: <quote>id_provider</quote> is used if it is set and can perform " "session related tasks." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3438 msgid "" "<emphasis>NOTE:</emphasis> In order to have this feature working as expected " "SSSD must be running as \"root\" and not as the unprivileged user." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3446 msgid "autofs_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3449 msgid "The autofs provider used for the domain. Supported autofs providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3453 msgid "" "<quote>ldap</quote> to load maps stored in LDAP. See <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry> for more information on configuring LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3460 msgid "" "<quote>ipa</quote> to load maps stored in an IPA server. See <citerefentry> " "<refentrytitle>sssd-ipa</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry> for more information on configuring IPA." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3468 msgid "" "<quote>ad</quote> to load maps stored in an AD server. See <citerefentry> " "<refentrytitle>sssd-ad</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry> for more information on configuring the AD provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3477 msgid "<quote>none</quote> disables autofs explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3487 msgid "hostid_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3490 msgid "" "The provider used for retrieving host identity information. Supported " "hostid providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3494 msgid "" "<quote>ipa</quote> to load host identity stored in an IPA server. See " "<citerefentry> <refentrytitle>sssd-ipa</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " "IPA." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3502 msgid "<quote>none</quote> disables hostid explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3512 msgid "resolver_provider (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3515 msgid "" "The provider which should handle hosts and networks lookups. Supported " "resolver providers are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3519 msgid "" "<quote>proxy</quote> to forward lookups to another NSS library. See " "<quote>proxy_resolver_lib_name</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3523 msgid "" "<quote>ldap</quote> to fetch hosts and networks stored in LDAP. See " "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " "LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3530 msgid "" "<quote>ad</quote> to fetch hosts and networks stored in AD. See " "<citerefentry> <refentrytitle>sssd-ad</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry> for more information on configuring " "the AD provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3538 msgid "<quote>none</quote> disallows fetching hosts and networks explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3551 msgid "" "Regular expression for this domain that describes how to parse the string " "containing user name and domain into these components. The \"domain\" can " "match either the SSSD configuration domain name, or, in the case of IPA " "trust subdomains and Active Directory domains, the flat (NetBIOS) name of " "the domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3560 msgid "" "Default: " "<quote>^((?P<name>.+)@(?P<domain>[^@]*)|(?P<name>[^@]+))$</quote> " "which allows two different styles for user names:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:3565 sssd.conf.5.xml:3579 msgid "username" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:3568 sssd.conf.5.xml:3582 msgid "username@domain.name" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3573 msgid "" "Default for the AD and IPA provider: " "<quote>^(((?P<domain>[^\\\\]+)\\\\(?P<name>.+))|((?P<name>.+)@(?P<domain>[^@]+))|((?P<name>[^@\\\\]+)))$</quote> " "which allows three different styles for user names:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:3585 msgid "domain\\username" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3588 msgid "" "While the first two correspond to the general default the third one is " "introduced to allow easy integration of users from Windows domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3593 msgid "" "The default re_expression uses the <quote>@</quote> character as a separator " "between the name and the domain. As a result of this setting the default " "does not accept the <quote>@</quote> character in short names (as it is " "allowed in Windows group names). If a user wishes to use short names with " "<quote>@</quote> they must create their own re_expression." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3645 msgid "Default: <quote>%1$s@%2$s</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3651 msgid "lookup_family_order (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3654 msgid "" "Provides the ability to select preferred address family to use when " "performing DNS lookups." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3658 msgid "Supported values:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3661 msgid "ipv4_first: Try looking up IPv4 address, if that fails, try IPv6" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3664 msgid "ipv4_only: Only attempt to resolve hostnames to IPv4 addresses." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3667 msgid "ipv6_first: Try looking up IPv6 address, if that fails, try IPv4" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3670 msgid "ipv6_only: Only attempt to resolve hostnames to IPv6 addresses." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3673 msgid "Default: ipv4_first" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3679 msgid "dns_resolver_server_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3682 msgid "" "Defines the amount of time (in milliseconds) SSSD would try to talk to DNS " "server before trying next DNS server." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3687 msgid "The AD provider will use this option for the CLDAP ping timeouts as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3691 sssd.conf.5.xml:3711 sssd.conf.5.xml:3732 msgid "" "Please see the section <quote>FAILOVER</quote> for more information about " "the service resolution." msgstr "" #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3696 sssd-ldap.5.xml:645 include/failover.xml:84 msgid "Default: 1000" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3702 msgid "dns_resolver_op_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3705 msgid "" "Defines the amount of time (in seconds) to wait to resolve single DNS query " "(e.g. resolution of a hostname or an SRV record) before trying the next " "hostname or DNS discovery." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3722 msgid "dns_resolver_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3725 msgid "" "Defines the amount of time (in seconds) to wait for a reply from the " "internal fail over service before assuming that the service is " "unreachable. If this timeout is reached, the domain will continue to operate " "in offline mode." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3743 msgid "dns_resolver_use_search_list (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3746 msgid "" "Normally, the DNS resolver searches the domain list defined in the " "\"search\" directive from the resolv.conf file. This can lead to delays in " "environments with improperly configured DNS." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3752 msgid "" "If fully qualified domain names (or _srv_) are used in the SSSD " "configuration, setting this option to FALSE can prevent unnecessary DNS " "lookups in such environments." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3758 msgid "Default: TRUE" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3764 msgid "dns_discovery_domain (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3767 msgid "" "If service discovery is used in the back end, specifies the domain part of " "the service discovery DNS query." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3771 msgid "Default: Use the domain part of machine's hostname" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3777 msgid "override_gid (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3780 msgid "Override the primary GID value with the one specified." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3786 msgid "case_sensitive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3793 msgid "True" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3796 msgid "Case sensitive. This value is invalid for AD provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3802 msgid "False" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3804 msgid "Case insensitive." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3808 msgid "Preserving" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3811 msgid "" "Same as False (case insensitive), but does not lowercase names in the result " "of NSS operations. Note that name aliases (and in case of services also " "protocol names) are still lowercased in the output." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3819 msgid "" "If you want to set this value for trusted domain with IPA provider, you need " "to set it on both the client and SSSD on the server." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3789 msgid "" "Treat user and group names as case sensitive. Possible option values are: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3834 msgid "Default: True (False for AD provider)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3840 msgid "subdomain_inherit (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3843 msgid "" "Specifies a list of configuration parameters that should be inherited by a " "subdomain. Please note that only selected parameters can be inherited. " "Currently the following options can be inherited:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3849 msgid "ldap_search_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3852 msgid "ldap_network_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3855 msgid "ldap_opt_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3858 msgid "ldap_offline_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3861 msgid "ldap_enumeration_refresh_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3864 msgid "ldap_enumeration_refresh_offset" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3867 msgid "ldap_purge_cache_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3870 msgid "ldap_purge_cache_offset" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3873 msgid "" "ldap_krb5_keytab (the value of krb5_keytab will be used if ldap_krb5_keytab " "is not set explicitly)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3877 msgid "ldap_krb5_ticket_lifetime" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3880 msgid "ldap_enumeration_search_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3883 msgid "ldap_connection_expire_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3886 msgid "ldap_connection_expire_offset" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3889 msgid "ldap_connection_idle_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3892 sssd-ldap.5.xml:401 msgid "ldap_use_tokengroups" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3895 msgid "ldap_user_principal" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3898 msgid "ignore_group_members" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3901 msgid "auto_private_groups" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3904 msgid "case_sensitive" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> #: sssd.conf.5.xml:3909 #, no-wrap msgid "" "subdomain_inherit = ldap_purge_cache_timeout\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3916 msgid "Note: This option only works with the IPA and AD provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3923 msgid "subdomain_homedir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3934 msgid "%F" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3935 msgid "flat (NetBIOS) name of a subdomain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3926 msgid "" "Use this homedir as default value for all subdomains within this domain in " "IPA AD trust. See <emphasis>override_homedir</emphasis> for info about " "possible values. In addition to those, the expansion below can only be used " "with <emphasis>subdomain_homedir</emphasis>. <placeholder " "type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3940 msgid "The value can be overridden by <emphasis>override_homedir</emphasis> option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3944 msgid "Default: <filename>/home/%d/%u</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3949 msgid "realmd_tags (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3952 msgid "Various tags stored by the realmd configuration service for this domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3958 msgid "cached_auth_timeout (int)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3961 msgid "" "Specifies time in seconds since last successful online authentication for " "which user will be authenticated using cached credentials while SSSD is in " "the online mode. If the credentials are incorrect, SSSD falls back to online " "authentication." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3969 msgid "" "This option's value is inherited by all trusted domains. At the moment it is " "not possible to set a different value per trusted domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3974 msgid "Special value 0 implies that this feature is disabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3978 msgid "" "Please note that if <quote>cached_auth_timeout</quote> is longer than " "<quote>pam_id_timeout</quote> then the back end could be called to handle " "<quote>initgroups.</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:3989 msgid "local_auth_policy (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:3992 msgid "" "Local authentication methods policy. Some backends (i.e. LDAP, proxy " "provider) only support a password based authentication, while others can " "handle PKINIT based Smartcard authentication (AD, IPA), two-factor " "authentication (IPA), or other methods against a central instance. By " "default in such cases authentication is only performed with the methods " "supported by the backend." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4002 msgid "" "There are three possible values for this option: match, only, " "enable. <quote>match</quote> is used to match offline and online states for " "Kerberos methods. <quote>only</quote> ignores the online methods and only " "offer the local ones. enable allows explicitly defining the methods for " "local authentication. As an example, <quote>enable:passkey</quote>, only " "enables passkey for local authentication. Multiple enable values should be " "comma-separated, such as <quote>enable:passkey, enable:smartcard</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4014 msgid "" "Please note that if local Smartcard authentication is enabled and a " "Smartcard is present, Smartcard authentication will be preferred over the " "authentication methods supported by the backend. I.e. there will be a PIN " "prompt instead of e.g. a password prompt." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> #: sssd.conf.5.xml:4026 #, no-wrap msgid "" "[domain/shadowutils]\n" "id_provider = proxy\n" "proxy_lib_name = files\n" "auth_provider = none\n" "local_auth_policy = only\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4022 msgid "" "The following configuration example allows local users to authenticate " "locally using any enabled method (i.e. smartcard, passkey). <placeholder " "type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4034 msgid "" "It is expected that the <quote>files</quote> provider ignores the " "local_auth_policy option and supports Smartcard authentication by default." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4039 msgid "Default: match" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4044 msgid "auto_private_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4050 msgid "true" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4053 msgid "" "Create user's private group unconditionally from user's UID number. The GID " "number is ignored in this case." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4057 msgid "" "NOTE: Because the GID number and the user private group are inferred from " "the UID number, it is not supported to have multiple entries with the same " "UID or GID number with this option. In other words, enabling this option " "enforces uniqueness across the ID space." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4066 msgid "false" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4069 msgid "" "Always use the user's primary GID number. The GID number must refer to a " "group object in the LDAP database." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4075 msgid "hybrid" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4078 msgid "" "A primary group is autogenerated for user entries whose UID and GID numbers " "have the same value and at the same time the GID number does not correspond " "to a real group object in LDAP. If the values are the same, but the primary " "GID in the user entry is also used by a group object, the primary GID of the " "user resolves to that group object." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4091 msgid "" "If the UID and GID of a user are different, then the GID must correspond to " "a group entry, otherwise the GID is simply not resolvable." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4098 msgid "" "This feature is useful for environments that wish to stop maintaining a " "separate group objects for the user private groups, but also wish to retain " "the existing user private groups." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4047 msgid "" "This option takes any of three available values: <placeholder " "type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4110 msgid "" "For subdomains, the default value is False for subdomains that use assigned " "POSIX IDs and True for subdomains that use automatic ID-mapping." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> #: sssd.conf.5.xml:4118 #, no-wrap msgid "" "[domain/forest.domain/sub.domain]\n" "auto_private_groups = false\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> #: sssd.conf.5.xml:4124 #, no-wrap msgid "" "[domain/forest.domain]\n" "subdomain_inherit = auto_private_groups\n" "auto_private_groups = false\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4115 msgid "" "The value of auto_private_groups can either be set per subdomains in a " "subsection, for example: <placeholder type=\"programlisting\" id=\"0\"/> or " "globally for all subdomains in the main domain section using the " "subdomain_inherit option: <placeholder type=\"programlisting\" id=\"1\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:2570 msgid "" "These configuration options can be present in a domain configuration " "section, that is, in a section called " "<quote>[domain/<replaceable>NAME</replaceable>]</quote> <placeholder " "type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4139 msgid "proxy_pam_target (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4142 msgid "The proxy target PAM proxies to." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4145 msgid "" "Default: not set by default, you have to take an existing pam configuration " "or create a new one and add the service name here. As an alternative you can " "enable local authentication with the local_auth_policy option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4155 msgid "proxy_lib_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4158 msgid "" "The name of the NSS library to use in proxy domains. The NSS functions " "searched for in the library are in the form of _nss_$(libName)_$(function), " "for example _nss_files_getpwent." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4168 msgid "proxy_resolver_lib_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4171 msgid "" "The name of the NSS library to use for hosts and networks lookups in proxy " "domains. The NSS functions searched for in the library are in the form of " "_nss_$(libName)_$(function), for example _nss_dns_gethostbyname2_r." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4182 msgid "proxy_fast_alias (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4185 msgid "" "When a user or group is looked up by name in the proxy provider, a second " "lookup by ID is performed to \"canonicalize\" the name in case the requested " "name was an alias. Setting this option to true would cause the SSSD to " "perform the ID lookup from cache for performance reasons." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4199 msgid "proxy_max_children (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4202 msgid "" "This option specifies the number of pre-forked proxy children. It is useful " "for high-load SSSD environments where sssd may run out of available child " "slots, which would cause some issues due to the requests being queued." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4135 msgid "" "Options valid for proxy domains. <placeholder type=\"variablelist\" " "id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd.conf.5.xml:4218 msgid "Application domains" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd.conf.5.xml:4220 msgid "" "SSSD, with its D-Bus interface (see <citerefentry> " "<refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry>) is appealing to applications as a gateway to an LDAP " "directory where users and groups are stored. However, contrary to the " "traditional SSSD deployment where all users and groups either have POSIX " "attributes or those attributes can be inferred from the Windows SIDs, in " "many cases the users and groups in the application support scenario have no " "POSIX attributes. Instead of setting a " "<quote>[domain/<replaceable>NAME</replaceable>]</quote> section, the " "administrator can set up an " "<quote>[application/<replaceable>NAME</replaceable>]</quote> section that " "internally represents a domain with type <quote>application</quote> " "optionally inherits settings from a tradition SSSD domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd.conf.5.xml:4240 msgid "" "Please note that the application domain must still be explicitly enabled in " "the <quote>domains</quote> parameter so that the lookup order between the " "application domain and its POSIX sibling domain is set correctly." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> #: sssd.conf.5.xml:4246 msgid "Application domain parameters" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd.conf.5.xml:4248 msgid "inherit_from (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4251 msgid "" "The SSSD POSIX-type domain the application domain inherits all settings " "from. The application domain can moreover add its own settings to the " "application settings that augment or override the <quote>sibling</quote> " "domain settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd.conf.5.xml:4265 msgid "" "The following example illustrates the use of an application domain. In this " "setup, the POSIX domain is connected to an LDAP server and is used by the OS " "through the NSS responder. In addition, the application domain also requests " "the telephoneNumber attribute, stores it as the phone attribute in the cache " "and makes the phone attribute reachable through the D-Bus interface." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><programlisting> #: sssd.conf.5.xml:4273 #, no-wrap msgid "" "[sssd]\n" "domains = appdom, posixdom\n" "\n" "[ifp]\n" "user_attributes = +phone\n" "\n" "[domain/posixdom]\n" "id_provider = ldap\n" "ldap_uri = ldap://ldap.example.com\n" "ldap_search_base = dc=example,dc=com\n" "\n" "[application/appdom]\n" "inherit_from = posixdom\n" "ldap_user_extra_attrs = phone:telephoneNumber\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd.conf.5.xml:4293 msgid "TRUSTED DOMAIN SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4295 msgid "" "Some options used in the domain section can also be used in the trusted " "domain section, that is, in a section called " "<quote>[domain/<replaceable>DOMAIN_NAME</replaceable>/<replaceable>TRUSTED_DOMAIN_NAME</replaceable>]</quote>. " "Where DOMAIN_NAME is the actual joined-to base domain. Please refer to " "examples below for explanation. Currently supported options in the trusted " "domain section are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4302 msgid "ldap_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4303 msgid "ldap_user_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4304 msgid "ldap_group_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4305 msgid "ldap_netgroup_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4306 msgid "ldap_service_search_base," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4307 msgid "ldap_sasl_mech," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4308 msgid "ad_server," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4309 msgid "ad_backup_server," msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4310 msgid "ad_site," msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:4311 sssd-ipa.5.xml:884 msgid "use_fully_qualified_names" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4315 msgid "" "For more details about these options see their individual description in the " "manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd.conf.5.xml:4321 msgid "CERTIFICATE MAPPING SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4323 msgid "" "To allow authentication with Smartcards and certificates SSSD must be able " "to map certificates to users. This can be done by adding the full " "certificate to the LDAP object of the user or to a local override. While " "using the full certificate is required to use the Smartcard authentication " "feature of SSH (see <citerefentry> " "<refentrytitle>sss_ssh_authorizedkeys</refentrytitle> " "<manvolnum>8</manvolnum> </citerefentry> for details) it might be cumbersome " "or not even possible to do this for the general case where local services " "use PAM for authentication." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4337 msgid "" "To make the mapping more flexible mapping and matching rules were added to " "SSSD (see <citerefentry> <refentrytitle>sss-certmap</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry> for details)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4346 msgid "" "A mapping and matching rule can be added to the SSSD configuration in a " "section on its own with a name like " "<quote>[certmap/<replaceable>DOMAIN_NAME</replaceable>/<replaceable>RULE_NAME</replaceable>]</quote>. " "In this section the following options are allowed:" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.conf.5.xml:4353 msgid "matchrule (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4356 msgid "" "Only certificates from the Smartcard which matches this rule will be " "processed, all others are ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4360 msgid "" "Default: KRB5:<EKU>clientAuth, i.e. only certificates which have the " "Extended Key Usage <quote>clientAuth</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.conf.5.xml:4367 msgid "maprule (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4370 msgid "Defines how the user is found for a given certificate." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:4376 msgid "" "LDAP:(userCertificate;binary={cert!bin}) for LDAP based providers like " "<quote>ldap</quote>, <quote>AD</quote> or <quote>ipa</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:4382 msgid "" "The RULE_NAME for the <quote>files</quote> provider which tries to find a " "user with the same name." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.conf.5.xml:4391 msgid "domains (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4394 msgid "" "Comma separated list of domain names the rule should be applied. By default " "a rule is only valid in the domain configured in sssd.conf. If the provider " "supports subdomains this option can be used to add the rule to subdomains as " "well." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4401 msgid "Default: the configured domain in sssd.conf" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.conf.5.xml:4406 msgid "priority (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4409 msgid "" "Unsigned integer value defining the priority of the rule. The higher the " "number the lower the priority. <quote>0</quote> stands for the highest " "priority while <quote>4294967295</quote> is the lowest." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4415 msgid "Default: the lowest priority" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4421 msgid "" "To make the configuration simple and reduce the amount of configuration " "options the <quote>files</quote> provider has some special properties:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:4427 msgid "" "if maprule is not set the RULE_NAME name is assumed to be the name of the " "matching user" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:4433 msgid "" "if a maprule is used both a single user name or a template like " "<quote>{subject_rfc822_name.short_name}</quote> must be in braces like " "e.g. <quote>(username)</quote> or " "<quote>({subject_rfc822_name.short_name})</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:4442 msgid "the <quote>domains</quote> option is ignored" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd.conf.5.xml:4450 msgid "PROMPTING CONFIGURATION SECTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4452 msgid "" "If a special file " "(<filename>/var/lib/sss/pubconf/pam_preauth_available</filename>) exists " "SSSD's PAM module pam_sss will ask SSSD to figure out which authentication " "methods are available for the user trying to log in. Based on the results " "pam_sss will prompt the user for appropriate credentials." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4460 msgid "" "With the growing number of authentication methods and the possibility that " "there are multiple ones for a single user the heuristic used by pam_sss to " "select the prompting might not be suitable for all use cases. The following " "options should provide a better flexibility here." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4472 msgid "[prompting/password]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4475 msgid "password_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4476 msgid "to change the string of the password prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4474 msgid "" "to configure password prompting, allowed options are: <placeholder " "type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4484 msgid "[prompting/2fa]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4488 msgid "first_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4489 msgid "to change the string of the prompt for the first factor" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4492 msgid "second_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4493 msgid "to change the string of the prompt for the second factor" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4496 msgid "single_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4497 msgid "" "boolean value, if True there will be only a single prompt using the value of " "first_prompt where it is expected that both factors are entered as a single " "string. Please note that both factors have to be entered here, even if the " "second factor is optional." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4486 msgid "" "to configure two-factor authentication prompting, allowed options are: " "<placeholder type=\"variablelist\" id=\"0\"/> If the second factor is " "optional and it should be possible to log in either only with the password " "or with both factors two-step prompting has to be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4514 msgid "[prompting/passkey]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd.conf.5.xml:4520 sssd-ad.5.xml:1021 msgid "interactive" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4522 msgid "" "boolean value, if True prompt a message and wait before testing the presence " "of a passkey device. Recommended if your device doesn’t have a tactile " "trigger." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4530 msgid "interactive_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4532 msgid "to change the message of the interactive prompt." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4537 msgid "touch" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4539 msgid "" "boolean value, if True prompt a message to remind the user to touch the " "device." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd.conf.5.xml:4545 msgid "touch_prompt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4547 msgid "to change the message of the touch prompt." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd.conf.5.xml:4516 msgid "" "to configure passkey authentication prompting, allowed options are: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4467 msgid "" "Each supported authentication method has its own configuration subsection " "under <quote>[prompting/...]</quote>. Currently there are: <placeholder " "type=\"variablelist\" id=\"0\"/> <placeholder type=\"variablelist\" " "id=\"1\"/> <placeholder type=\"variablelist\" id=\"2\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4558 msgid "" "It is possible to add a subsection for specific PAM services, " "e.g. <quote>[prompting/password/sshd]</quote> to individual change the " "prompting for this service." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd.conf.5.xml:4565 pam_sss_gss.8.xml:157 idmap_sss.8.xml:43 msgid "EXAMPLES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd.conf.5.xml:4571 #, no-wrap msgid "" "[sssd]\n" "domains = LDAP\n" "services = nss, pam\n" "config_file_version = 2\n" "\n" "[nss]\n" "filter_groups = root\n" "filter_users = root\n" "\n" "[pam]\n" "\n" "[domain/LDAP]\n" "id_provider = ldap\n" "ldap_uri = ldap://ldap.example.com\n" "ldap_search_base = dc=example,dc=com\n" "\n" "auth_provider = krb5\n" "krb5_server = kerberos.example.com\n" "krb5_realm = EXAMPLE.COM\n" "cache_credentials = true\n" "\n" "min_id = 10000\n" "max_id = 20000\n" "enumerate = False\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4567 msgid "" "1. The following example shows a typical SSSD config. It does not describe " "configuration of the domains themselves - refer to documentation on " "configuring domains for more details. <placeholder type=\"programlisting\" " "id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd.conf.5.xml:4604 #, no-wrap msgid "" "[domain/ipa.com/child.ad.com]\n" "use_fully_qualified_names = false\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4598 msgid "" "2. The following example shows configuration of IPA AD trust where the AD " "forest consists of two domains in a parent-child structure. Suppose IPA " "domain (ipa.com) has trust with AD domain(ad.com). ad.com has child domain " "(child.ad.com). To enable shortnames in the child domain the following " "configuration should be used. <placeholder type=\"programlisting\" " "id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd.conf.5.xml:4615 #, no-wrap msgid "" "[certmap/my.domain/rule_name]\n" "matchrule = <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$\n" "maprule = (userCertificate;binary={cert!bin})\n" "domains = my.domain, your.domain\n" "priority = 10\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.conf.5.xml:4609 msgid "" "3. The following example shows the configuration of a certificate mapping " "rule. It is valid for the configured domain <quote>my.domain</quote> and " "additionally for the subdomains <quote>your.domain</quote> and uses the full " "certificate in the search filter. <placeholder type=\"programlisting\" " "id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssd-ldap.5.xml:10 sssd-ldap.5.xml:16 msgid "sssd-ldap" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sssd-ldap.5.xml:17 msgid "SSSD LDAP provider" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap.5.xml:21 pam_sss.8.xml:63 pam_sss_gss.8.xml:30 #: sssd_krb5_locator_plugin.8.xml:20 sssd-simple.5.xml:22 sss-certmap.5.xml:21 #: sssd-ipa.5.xml:21 sssd-ad.5.xml:21 sssd-sudo.5.xml:21 sssd.8.xml:29 #: sss_obfuscate.8.xml:30 sss_override.8.xml:30 sssd-krb5.5.xml:21 #: sss_cache.8.xml:29 sss_debuglevel.8.xml:30 sss_seed.8.xml:31 #: sssd-ifp.5.xml:21 sss_ssh_authorizedkeys.1.xml:30 #: sss_ssh_knownhostsproxy.1.xml:31 idmap_sss.8.xml:20 sssctl.8.xml:30 #: sssd-files.5.xml:21 sssd-session-recording.5.xml:21 sssd-kcm.8.xml:21 #: sssd-systemtap.5.xml:21 sssd-ldap-attributes.5.xml:21 #: sssd_krb5_localauth_plugin.8.xml:20 msgid "DESCRIPTION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ldap.5.xml:23 msgid "" "This manual page describes the configuration of LDAP domains for " "<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " "</citerefentry>. Refer to the <quote>FILE FORMAT</quote> section of the " "<citerefentry> <refentrytitle>sssd.conf</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry> manual page for detailed syntax " "information." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ldap.5.xml:35 msgid "You can configure SSSD to use more than one LDAP domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ldap.5.xml:38 msgid "" "LDAP back end supports id, auth, access and chpass providers. If you want to " "authenticate against an LDAP server either TLS/SSL or LDAPS is " "required. <command>sssd</command> <emphasis>does not</emphasis> support " "authentication over an unencrypted channel. Even if the LDAP server is used " "only as an identity provider, an encrypted channel is strongly " "recommended. Please refer to <quote>ldap_access_filter</quote> config option " "for more information about using LDAP as an access provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap.5.xml:50 sssd-simple.5.xml:69 sssd-ipa.5.xml:82 sssd-ad.5.xml:130 #: sssd-krb5.5.xml:63 sssd-ifp.5.xml:60 sssd-files.5.xml:77 #: sssd-session-recording.5.xml:58 sssd-kcm.8.xml:202 msgid "CONFIGURATION OPTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:67 msgid "ldap_uri, ldap_backup_uri (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:70 msgid "" "Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " "should connect in the order of preference. Refer to the " "<quote>FAILOVER</quote> section for more information on failover and server " "redundancy. If neither option is specified, service discovery is " "enabled. For more information, refer to the <quote>SERVICE DISCOVERY</quote> " "section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:77 msgid "The format of the URI must match the format defined in RFC 2732:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:80 msgid "ldap[s]://<host>[:port]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:83 msgid "For explicit IPv6 addresses, <host> must be enclosed in brackets []" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:86 msgid "example: ldap://[fc00::126:25]:389" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:92 msgid "ldap_chpass_uri, ldap_chpass_backup_uri (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:95 msgid "" "Specifies the comma-separated list of URIs of the LDAP servers to which SSSD " "should connect in the order of preference to change the password of a " "user. Refer to the <quote>FAILOVER</quote> section for more information on " "failover and server redundancy." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:102 msgid "To enable service discovery ldap_chpass_dns_service_name must be set." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:106 msgid "Default: empty, i.e. ldap_uri is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:112 msgid "ldap_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:115 msgid "The default base DN to use for performing LDAP user operations." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:119 msgid "" "Starting with SSSD 1.7.0, SSSD supports multiple search bases using the " "syntax:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:123 msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:126 msgid "The scope can be one of \"base\", \"onelevel\" or \"subtree\"." msgstr "" #. type: Content of: <listitem><para> #: sssd-ldap.5.xml:129 include/ldap_search_bases.xml:18 msgid "" "The filter must be a valid LDAP search filter as specified by " "http://www.ietf.org/rfc/rfc2254.txt" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:133 sssd-ad.5.xml:311 sss_override.8.xml:143 #: sss_override.8.xml:240 sssd-ldap-attributes.5.xml:453 msgid "Examples:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:136 msgid "" "ldap_search_base = dc=example,dc=com (which is equivalent to) " "ldap_search_base = dc=example,dc=com?subtree?" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:141 msgid "" "ldap_search_base = " "cn=host_specific,dc=example,dc=com?subtree?(host=thishost)?dc=example.com?subtree?" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:144 msgid "" "Note: It is unsupported to have multiple search bases which reference " "identically-named objects (for example, groups with the same name in two " "different search bases). This will lead to unpredictable behavior on client " "machines." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:151 msgid "" "Default: If not set, the value of the defaultNamingContext or namingContexts " "attribute from the RootDSE of the LDAP server is used. If " "defaultNamingContext does not exist or has an empty value namingContexts is " "used. The namingContexts attribute must have a single value with the DN of " "the search base of the LDAP server to make this work. Multiple values are " "are not supported." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:165 msgid "ldap_schema (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:168 msgid "" "Specifies the Schema Type in use on the target LDAP server. Depending on " "the selected schema, the default attribute names retrieved from the servers " "may vary. The way that some attributes are handled may also differ." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:175 msgid "Four schema types are currently supported:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ldap.5.xml:179 msgid "rfc2307" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ldap.5.xml:184 msgid "rfc2307bis" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ldap.5.xml:189 msgid "IPA" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ldap.5.xml:194 msgid "AD" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:200 msgid "" "The main difference between these schema types is how group memberships are " "recorded in the server. With rfc2307, group members are listed by name in " "the <emphasis>memberUid</emphasis> attribute. With rfc2307bis and IPA, " "group members are listed by DN and stored in the <emphasis>member</emphasis> " "attribute. The AD schema type sets the attributes to correspond with Active " "Directory 2008r2 values." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:210 msgid "Default: rfc2307" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:216 msgid "ldap_pwmodify_mode (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:219 msgid "Specify the operation that is used to modify user password." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:223 msgid "Two modes are currently supported:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ldap.5.xml:227 msgid "exop - Password Modify Extended Operation (RFC 3062)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ldap.5.xml:233 msgid "ldap_modify - Direct modification of userPassword (not recommended)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:240 msgid "" "Note: First, a new connection is established to verify current password by " "binding as the user that requested password change. If successful, this " "connection is used to change the password therefore the user must have write " "access to userPassword attribute." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:248 msgid "Default: exop" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:254 msgid "ldap_default_bind_dn (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:257 msgid "The default bind DN to use for performing LDAP operations." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:264 msgid "ldap_default_authtok_type (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:267 msgid "The type of the authentication token of the default bind DN." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:271 msgid "The two mechanisms currently supported are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:274 msgid "password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:277 msgid "obfuscated_password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:280 msgid "Default: password" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:283 msgid "" "See the <citerefentry> <refentrytitle>sss_obfuscate</refentrytitle> " "<manvolnum>8</manvolnum> </citerefentry> manual page for more information." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:294 msgid "ldap_default_authtok (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:297 msgid "The authentication token of the default bind DN." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:303 msgid "ldap_force_upper_case_realm (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:306 msgid "" "Some directory servers, for example Active Directory, might deliver the " "realm part of the UPN in lower case, which might cause the authentication to " "fail. Set this option to a non-zero value if you want to use an upper-case " "realm." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:319 msgid "ldap_enumeration_refresh_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:322 msgid "" "Specifies how many seconds SSSD has to wait before refreshing its cache of " "enumerated records." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:338 msgid "ldap_purge_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:341 msgid "" "Determine how often to check the cache for inactive entries (such as groups " "with no members and users who have never logged in) and remove them to save " "space." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:347 msgid "" "Setting this option to zero will disable the cache cleanup operation. Please " "note that if enumeration is enabled, the cleanup task is required in order " "to detect entries removed from the server and can't be disabled. By default, " "the cleanup task will run every 3 hours with enumeration enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:367 msgid "ldap_group_nesting_level (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:370 msgid "" "If ldap_schema is set to a schema format that supports nested groups " "(e.g. RFC2307bis), then this option controls how many levels of nesting SSSD " "will follow. This option has no effect on the RFC2307 schema." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:377 msgid "" "Note: This option specifies the guaranteed level of nested groups to be " "processed for any lookup. However, nested groups beyond this limit " "<emphasis>may be</emphasis> returned if previous lookups already resolved " "the deeper nesting levels. Also, subsequent lookups for other groups may " "enlarge the result set for original lookup if re-queried." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:386 msgid "" "If ldap_group_nesting_level is set to 0 then no nested groups are processed " "at all. However, when connected to Active-Directory Server 2008 and later " "using <quote>id_provider=ad</quote> it is furthermore required to disable " "usage of Token-Groups by setting ldap_use_tokengroups to false in order to " "restrict group nesting." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:395 msgid "Default: 2" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:404 msgid "" "This options enables or disables use of Token-Groups attribute when " "performing initgroup for users from Active Directory Server 2008 and later." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:414 msgid "Default: True for AD and IPA otherwise False." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:420 msgid "ldap_host_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:423 msgid "Optional. Use the given string as search base for host objects." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:427 sssd-ipa.5.xml:462 sssd-ipa.5.xml:481 sssd-ipa.5.xml:500 #: sssd-ipa.5.xml:519 msgid "" "See <quote>ldap_search_base</quote> for information about configuring " "multiple search bases." msgstr "" #. type: Content of: <listitem><para> #: sssd-ldap.5.xml:432 sssd-ipa.5.xml:467 include/ldap_search_bases.xml:27 msgid "Default: the value of <emphasis>ldap_search_base</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:439 msgid "ldap_service_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:444 msgid "ldap_iphost_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:449 msgid "ldap_ipnetwork_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:454 msgid "ldap_search_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:457 msgid "" "Specifies the timeout (in seconds) that ldap searches are allowed to run " "before they are cancelled and cached results are returned (and offline mode " "is entered)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:463 msgid "" "Note: this option is subject to change in future versions of the SSSD. It " "will likely be replaced at some point by a series of timeouts for specific " "lookup types." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:480 msgid "ldap_enumeration_search_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:483 msgid "" "Specifies the timeout (in seconds) that ldap searches for user and group " "enumerations are allowed to run before they are cancelled and cached results " "are returned (and offline mode is entered)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:501 msgid "ldap_network_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:504 msgid "" "Specifies the timeout (in seconds) after which the <citerefentry> " "<refentrytitle>poll</refentrytitle> <manvolnum>2</manvolnum> " "</citerefentry>/<citerefentry> <refentrytitle>select</refentrytitle> " "<manvolnum>2</manvolnum> </citerefentry> following a <citerefentry> " "<refentrytitle>connect</refentrytitle> <manvolnum>2</manvolnum> " "</citerefentry> returns in case of no activity." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:532 msgid "ldap_opt_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:535 msgid "" "Specifies a timeout (in seconds) after which calls to synchronous LDAP APIs " "will abort if no response is received. Also controls the timeout when " "communicating with the KDC in case of SASL bind, the timeout of an LDAP bind " "operation, password change extended operation and the StartTLS operation." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:555 msgid "ldap_connection_expire_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:558 msgid "" "Specifies a timeout (in seconds) that a connection to an LDAP server will be " "maintained. After this time, the connection will be re-established. If used " "in parallel with SASL/GSSAPI, the sooner of the two values (this value " "vs. the TGT lifetime) will be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:566 msgid "" "If the connection is idle (not actively running an operation) within " "<emphasis>ldap_opt_timeout</emphasis> seconds of expiration, then it will be " "closed early to ensure that a new query cannot require the connection to " "remain open past its expiration. This implies that connections will always " "be closed immediately and will never be reused if " "<emphasis>ldap_connection_expire_timeout <= ldap_opt_timout</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:578 msgid "" "This timeout can be extended of a random value specified by " "<emphasis>ldap_connection_expire_offset</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:588 sssd-ldap.5.xml:631 sssd-ldap.5.xml:1713 msgid "Default: 900 (15 minutes)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:594 msgid "ldap_connection_expire_offset (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:597 msgid "" "Random offset between 0 and configured value is added to " "<emphasis>ldap_connection_expire_timeout</emphasis>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:613 msgid "ldap_connection_idle_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:616 msgid "" "Specifies a timeout (in seconds) that an idle connection to an LDAP server " "will be maintained. If the connection is idle for more than this time then " "the connection will be closed." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:622 msgid "You can disable this timeout by setting the value to 0." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:637 msgid "ldap_page_size (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:640 msgid "" "Specify the number of records to retrieve from LDAP in a single " "request. Some LDAP servers enforce a maximum limit per-request." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:651 msgid "ldap_disable_paging (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:654 msgid "" "Disable the LDAP paging control. This option should be used if the LDAP " "server reports that it supports the LDAP paging control in its RootDSE but " "it is not enabled or does not behave properly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:660 msgid "" "Example: OpenLDAP servers with the paging control module installed on the " "server but not enabled will report it in the RootDSE but be unable to use " "it." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:666 msgid "" "Example: 389 DS has a bug where it can only support a one paging control at " "a time on a single connection. On busy clients, this can result in some " "requests being denied." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:678 msgid "ldap_disable_range_retrieval (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:681 msgid "Disable Active Directory range retrieval." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:684 msgid "" "Active Directory limits the number of members to be retrieved in a single " "lookup using the MaxValRange policy (which defaults to 1500 members). If a " "group contains more members, the reply would include an AD-specific range " "extension. This option disables parsing of the range extension, therefore " "large groups will appear as having no members." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:699 msgid "ldap_sasl_minssf (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:702 msgid "" "When communicating with an LDAP server using SASL, specify the minimum " "security level necessary to establish the connection. The values of this " "option are defined by OpenLDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:708 sssd-ldap.5.xml:724 msgid "Default: Use the system default (usually specified by ldap.conf)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:715 msgid "ldap_sasl_maxssf (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:718 msgid "" "When communicating with an LDAP server using SASL, specify the maximal " "security level necessary to establish the connection. The values of this " "option are defined by OpenLDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:731 msgid "ldap_deref_threshold (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:734 msgid "" "Specify the number of group members that must be missing from the internal " "cache in order to trigger a dereference lookup. If less members are missing, " "they are looked up individually." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:740 msgid "" "You can turn off dereference lookups completely by setting the value to " "0. Please note that there are some codepaths in SSSD, like the IPA HBAC " "provider, that are only implemented using the dereference call, so even with " "dereference explicitly disabled, those parts will still use dereference if " "the server supports it and advertises the dereference control in the rootDSE " "object." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:751 msgid "" "A dereference lookup is a means of fetching all group members in a single " "LDAP call. Different LDAP servers may implement different dereference " "methods. The currently supported servers are 389/RHDS, OpenLDAP and Active " "Directory." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:759 msgid "" "<emphasis>Note:</emphasis> If any of the search bases specifies a search " "filter, then the dereference lookup performance enhancement will be disabled " "regardless of this setting." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:772 msgid "ldap_ignore_unreadable_references (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:775 msgid "" "Ignore unreadable LDAP entries referenced in group's member attribute. If " "this parameter is set to false an error will be returned and the operation " "will fail instead of just ignoring the unreadable entry." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:782 msgid "" "This parameter may be useful when using the AD provider and the computer " "account that sssd uses to connect to AD does not have access to a particular " "entry or LDAP sub-tree for security reasons." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:795 msgid "ldap_tls_reqcert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:798 msgid "" "Specifies what checks to perform on server certificates in a TLS session, if " "any. It can be specified as one of the following values:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:804 msgid "" "<emphasis>never</emphasis> = The client will not request or check any server " "certificate." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:808 msgid "" "<emphasis>allow</emphasis> = The server certificate is requested. If no " "certificate is provided, the session proceeds normally. If a bad certificate " "is provided, it will be ignored and the session proceeds normally." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:815 msgid "" "<emphasis>try</emphasis> = The server certificate is requested. If no " "certificate is provided, the session proceeds normally. If a bad certificate " "is provided, the session is immediately terminated." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:821 msgid "" "<emphasis>demand</emphasis> = The server certificate is requested. If no " "certificate is provided, or a bad certificate is provided, the session is " "immediately terminated." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:827 msgid "<emphasis>hard</emphasis> = Same as <quote>demand</quote>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:831 msgid "Default: hard" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:837 msgid "ldap_tls_cacert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:840 msgid "" "Specifies the file that contains certificates for all of the Certificate " "Authorities that <command>sssd</command> will recognize." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:845 sssd-ldap.5.xml:863 sssd-ldap.5.xml:904 msgid "" "Default: use OpenLDAP defaults, typically in " "<filename>/etc/openldap/ldap.conf</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:852 msgid "ldap_tls_cacertdir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:855 msgid "" "Specifies the path of a directory that contains Certificate Authority " "certificates in separate individual files. Typically the file names need to " "be the hash of the certificate followed by '.0'. If available, " "<command>cacertdir_rehash</command> can be used to create the correct names." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:870 msgid "ldap_tls_cert (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:873 msgid "Specifies the file that contains the certificate for the client's key." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:883 msgid "ldap_tls_key (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:886 msgid "Specifies the file that contains the client's key." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:895 msgid "ldap_tls_cipher_suite (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:898 msgid "" "Specifies acceptable cipher suites. Typically this is a colon separated " "list. See <citerefentry><refentrytitle>ldap.conf</refentrytitle> " "<manvolnum>5</manvolnum></citerefentry> for format." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:911 msgid "ldap_id_use_start_tls (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:914 msgid "" "Specifies that the id_provider connection must also use <systemitem " "class=\"protocol\">tls</systemitem> to protect the channel. " "<emphasis>true</emphasis> is strongly recommended for security reasons." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:925 msgid "ldap_id_mapping (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:928 msgid "" "Specifies that SSSD should attempt to map user and group IDs from the " "ldap_user_objectsid and ldap_group_objectsid attributes instead of relying " "on ldap_user_uid_number and ldap_group_gid_number." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:934 msgid "Currently this feature supports only ActiveDirectory objectSID mapping." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:944 msgid "ldap_min_id, ldap_max_id (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:947 msgid "" "In contrast to the SID based ID mapping which is used if ldap_id_mapping is " "set to true the allowed ID range for ldap_user_uid_number and " "ldap_group_gid_number is unbound. In a setup with sub/trusted-domains this " "might lead to ID collisions. To avoid collisions ldap_min_id and ldap_max_id " "can be set to restrict the allowed range for the IDs which are read directly " "from the server. Sub-domains can then pick other ranges to map IDs." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:959 msgid "Default: not set (both options are set to 0)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:965 msgid "ldap_sasl_mech (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:968 msgid "" "Specify the SASL mechanism to use. Currently only GSSAPI and GSS-SPNEGO are " "tested and supported." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:972 msgid "" "If the backend supports sub-domains the value of ldap_sasl_mech is " "automatically inherited to the sub-domains. If a different value is needed " "for a sub-domain it can be overwritten by setting ldap_sasl_mech for this " "sub-domain explicitly. Please see TRUSTED DOMAIN SECTION in " "<citerefentry><refentrytitle>sssd.conf</refentrytitle> " "<manvolnum>5</manvolnum></citerefentry> for details." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:988 msgid "ldap_sasl_authid (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> #: sssd-ldap.5.xml:1000 #, no-wrap msgid "" "hostname@REALM\n" "netbiosname$@REALM\n" "host/hostname@REALM\n" "*$@REALM\n" "host/*@REALM\n" "host/*\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:991 msgid "" "Specify the SASL authorization id to use. When GSSAPI/GSS-SPNEGO are used, " "this represents the Kerberos principal used for authentication to the " "directory. This option can either contain the full principal (for example " "host/myhost@EXAMPLE.COM) or just the principal name (for example " "host/myhost). By default, the value is not set and the following principals " "are used: <placeholder type=\"programlisting\" id=\"0\"/> If none of them " "are found, the first principal in keytab is returned." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1011 msgid "Default: host/hostname@REALM" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1017 msgid "ldap_sasl_realm (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1020 msgid "" "Specify the SASL realm to use. When not specified, this option defaults to " "the value of krb5_realm. If the ldap_sasl_authid contains the realm as " "well, this option is ignored." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1026 msgid "Default: the value of krb5_realm." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1032 msgid "ldap_sasl_canonicalize (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1035 msgid "" "If set to true, the LDAP library would perform a reverse lookup to " "canonicalize the host name during a SASL bind." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1040 msgid "Default: false;" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1046 msgid "ldap_krb5_keytab (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1049 msgid "Specify the keytab to use when using SASL/GSSAPI/GSS-SPNEGO." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1058 sssd-krb5.5.xml:247 msgid "Default: System keytab, normally <filename>/etc/krb5.keytab</filename>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1064 msgid "ldap_krb5_init_creds (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1067 msgid "" "Specifies that the id_provider should init Kerberos credentials (TGT). This " "action is performed only if SASL is used and the mechanism selected is " "GSSAPI or GSS-SPNEGO." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1079 msgid "ldap_krb5_ticket_lifetime (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1082 msgid "" "Specifies the lifetime in seconds of the TGT if GSSAPI or GSS-SPNEGO is " "used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1091 sssd-ad.5.xml:1252 msgid "Default: 86400 (24 hours)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1097 sssd-krb5.5.xml:74 msgid "krb5_server, krb5_backup_server (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1100 msgid "" "Specifies the comma-separated list of IP addresses or hostnames of the " "Kerberos servers to which SSSD should connect in the order of " "preference. For more information on failover and server redundancy, see the " "<quote>FAILOVER</quote> section. An optional port number (preceded by a " "colon) may be appended to the addresses or hostnames. If empty, service " "discovery is enabled - for more information, refer to the <quote>SERVICE " "DISCOVERY</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1112 sssd-krb5.5.xml:89 msgid "" "When using service discovery for KDC or kpasswd servers, SSSD first searches " "for DNS entries that specify _udp as the protocol and falls back to _tcp if " "none are found." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1117 sssd-krb5.5.xml:94 msgid "" "This option was named <quote>krb5_kdcip</quote> in earlier releases of " "SSSD. While the legacy name is recognized for the time being, users are " "advised to migrate their config files to use <quote>krb5_server</quote> " "instead." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1126 sssd-ipa.5.xml:531 sssd-krb5.5.xml:103 msgid "krb5_realm (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1129 msgid "Specify the Kerberos REALM (for SASL/GSSAPI/GSS-SPNEGO auth)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1133 msgid "Default: System defaults, see <filename>/etc/krb5.conf</filename>" msgstr "" #. type: Content of: <variablelist><varlistentry><term> #: sssd-ldap.5.xml:1139 include/krb5_options.xml:154 msgid "krb5_canonicalize (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1142 msgid "" "Specifies if the host principal should be canonicalized when connecting to " "LDAP server. This feature is available with MIT Kerberos >= 1.7" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1154 sssd-krb5.5.xml:336 msgid "krb5_use_kdcinfo (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1157 sssd-krb5.5.xml:339 msgid "" "Specifies if the SSSD should instruct the Kerberos libraries what realm and " "which KDCs to use. This option is on by default, if you disable it, you need " "to configure the Kerberos library using the <citerefentry> " "<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry> configuration file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1168 sssd-krb5.5.xml:350 msgid "" "See the <citerefentry> " "<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " "<manvolnum>8</manvolnum> </citerefentry> manual page for more information on " "the locator plugin." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1182 msgid "ldap_pwd_policy (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1185 msgid "" "Select the policy to evaluate the password expiration on the client " "side. The following values are allowed:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1190 msgid "" "<emphasis>none</emphasis> - No evaluation on the client side. This option " "cannot disable server-side password policies." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1195 msgid "" "<emphasis>shadow</emphasis> - Use " "<citerefentry><refentrytitle>shadow</refentrytitle> " "<manvolnum>5</manvolnum></citerefentry> style attributes to evaluate if the " "password has expired. Please see option \"ldap_chpass_update_last_change\" " "as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1203 msgid "" "<emphasis>mit_kerberos</emphasis> - Use the attributes used by MIT Kerberos " "to determine if the password has expired. Use chpass_provider=krb5 to update " "these attributes when the password is changed." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1212 msgid "" "<emphasis>Note</emphasis>: if a password policy is configured on server " "side, it always takes precedence over policy set with this option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1220 msgid "ldap_referrals (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1223 msgid "Specifies whether automatic referral chasing should be enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1227 msgid "" "Please note that sssd only supports referral chasing when it is compiled " "with OpenLDAP version 2.4.13 or higher." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1232 msgid "" "Chasing referrals may incur a performance penalty in environments that use " "them heavily, a notable example is Microsoft Active Directory. If your setup " "does not in fact require the use of referrals, setting this option to false " "might bring a noticeable performance improvement. Setting this option to " "false is therefore recommended in case the SSSD LDAP provider is used " "together with Microsoft Active Directory as a backend. Even if SSSD would be " "able to follow the referral to a different AD DC no additional data would be " "available." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1251 msgid "ldap_dns_service_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1254 msgid "Specifies the service name to use when service discovery is enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1258 msgid "Default: ldap" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1264 msgid "ldap_chpass_dns_service_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1267 msgid "" "Specifies the service name to use to find an LDAP server which allows " "password changes when service discovery is enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1272 msgid "Default: not set, i.e. service discovery is disabled" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1278 msgid "ldap_chpass_update_last_change (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1281 msgid "" "Specifies whether to update the ldap_user_shadow_last_change attribute with " "days since the Epoch after a password change operation." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1287 msgid "" "It is recommend to set this option explicitly if \"ldap_pwd_policy = " "shadow\" is used to let SSSD know if the LDAP server will update " "shadowLastChange LDAP attribute automatically after a password change or if " "SSSD has to update it." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1301 msgid "ldap_access_filter (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1304 msgid "" "If using access_provider = ldap and ldap_access_order = filter (default), " "this option is mandatory. It specifies an LDAP search filter criteria that " "must be met for the user to be granted access on this host. If " "access_provider = ldap, ldap_access_order = filter and this option is not " "set, it will result in all users being denied access. Use access_provider = " "permit to change this default behavior. Please note that this filter is " "applied on the LDAP user entry only and thus filtering based on nested " "groups may not work (e.g. memberOf attribute on AD entries points only to " "direct parents). If filtering based on nested groups is required, please see " "<citerefentry> " "<refentrytitle>sssd-simple</refentrytitle><manvolnum>5</manvolnum> " "</citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1324 msgid "Example:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> #: sssd-ldap.5.xml:1327 #, no-wrap msgid "" "access_provider = ldap\n" "ldap_access_filter = (employeeType=admin)\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1331 msgid "" "This example means that access to this host is restricted to users whose " "employeeType attribute is set to \"admin\"." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1336 msgid "" "Offline caching for this feature is limited to determining whether the " "user's last online login was granted access permission. If they were granted " "access during their last login, they will continue to be granted access " "while offline and vice versa." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1344 sssd-ldap.5.xml:1400 msgid "Default: Empty" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1350 msgid "ldap_account_expire_policy (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1353 msgid "" "With this option a client side evaluation of access control attributes can " "be enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1357 msgid "" "Please note that it is always recommended to use server side access control, " "i.e. the LDAP server should deny the bind request with a suitable error code " "even if the password is correct." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1364 msgid "The following values are allowed:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1367 msgid "" "<emphasis>shadow</emphasis>: use the value of ldap_user_shadow_expire to " "determine if the account is expired." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1372 msgid "" "<emphasis>ad</emphasis>: use the value of the 32bit field " "ldap_user_ad_user_account_control and allow access if the second bit is not " "set. If the attribute is missing access is granted. Also the expiration time " "of the account is checked." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1379 msgid "" "<emphasis>rhds</emphasis>, <emphasis>ipa</emphasis>, " "<emphasis>389ds</emphasis>: use the value of ldap_ns_account_lock to check " "if access is allowed or not." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1385 msgid "" "<emphasis>nds</emphasis>: the values of " "ldap_user_nds_login_allowed_time_map, ldap_user_nds_login_disabled and " "ldap_user_nds_login_expiration_time are used to check if access is " "allowed. If both attributes are missing access is granted." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1393 msgid "" "Please note that the ldap_access_order configuration option " "<emphasis>must</emphasis> include <quote>expire</quote> in order for the " "ldap_account_expire_policy option to work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1406 msgid "ldap_access_order (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1409 sssd-ipa.5.xml:356 msgid "Comma separated list of access control options. Allowed values are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1413 msgid "<emphasis>filter</emphasis>: use ldap_access_filter" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1416 msgid "" "<emphasis>lockout</emphasis>: use account locking. If set, this option " "denies access in case that ldap attribute 'pwdAccountLockedTime' is present " "and has value of '000001010000Z'. Please see the option ldap_pwdlockout_dn. " "Please note that 'access_provider = ldap' must be set for this feature to " "work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1426 msgid "" "<emphasis> Please note that this option is superseded by the " "<quote>ppolicy</quote> option and might be removed in a future release. " "</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1433 msgid "" "<emphasis>ppolicy</emphasis>: use account locking. If set, this option " "denies access in case that ldap attribute 'pwdAccountLockedTime' is present " "and has value of '000001010000Z' or represents any time in the past. The " "value of the 'pwdAccountLockedTime' attribute must end with 'Z', which " "denotes the UTC time zone. Other time zones are not currently supported and " "will result in \"access-denied\" when users attempt to log in. Please see " "the option ldap_pwdlockout_dn. Please note that 'access_provider = ldap' " "must be set for this feature to work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1450 msgid "<emphasis>expire</emphasis>: use ldap_account_expire_policy" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1454 sssd-ipa.5.xml:364 msgid "" "<emphasis>pwd_expire_policy_reject, pwd_expire_policy_warn, " "pwd_expire_policy_renew: </emphasis> These options are useful if users are " "interested in being warned that password is about to expire and " "authentication is based on using a different method than passwords - for " "example SSH keys." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1464 sssd-ipa.5.xml:374 msgid "" "The difference between these options is the action taken if user password is " "expired:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ldap.5.xml:1469 sssd-ipa.5.xml:379 msgid "pwd_expire_policy_reject - user is denied to log in," msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ldap.5.xml:1475 sssd-ipa.5.xml:385 msgid "pwd_expire_policy_warn - user is still able to log in," msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ldap.5.xml:1481 sssd-ipa.5.xml:391 msgid "" "pwd_expire_policy_renew - user is prompted to change their password " "immediately." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1489 msgid "" "Please note that 'access_provider = ldap' must be set for this feature to " "work. Also 'ldap_pwd_policy' must be set to an appropriate password policy." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1494 msgid "" "<emphasis>authorized_service</emphasis>: use the authorizedService attribute " "to determine access" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1499 msgid "<emphasis>host</emphasis>: use the host attribute to determine access" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1503 msgid "" "<emphasis>rhost</emphasis>: use the rhost attribute to determine whether " "remote host can access" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1507 msgid "" "Please note, rhost field in pam is set by application, it is better to check " "what the application sends to pam, before enabling this access control " "option" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1512 msgid "Default: filter" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1515 msgid "" "Please note that it is a configuration error if a value is used more than " "once." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1522 msgid "ldap_pwdlockout_dn (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1525 msgid "" "This option specifies the DN of password policy entry on LDAP server. Please " "note that absence of this option in sssd.conf in case of enabled account " "lockout checking will yield access denied as ppolicy attributes on LDAP " "server cannot be checked properly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1533 msgid "Example: cn=ppolicy,ou=policies,dc=example,dc=com" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1536 msgid "Default: cn=ppolicy,ou=policies,$ldap_search_base" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1542 msgid "ldap_deref (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1545 msgid "" "Specifies how alias dereferencing is done when performing a search. The " "following options are allowed:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1550 msgid "<emphasis>never</emphasis>: Aliases are never dereferenced." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1554 msgid "" "<emphasis>searching</emphasis>: Aliases are dereferenced in subordinates of " "the base object, but not in locating the base object of the search." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1559 msgid "" "<emphasis>finding</emphasis>: Aliases are only dereferenced when locating " "the base object of the search." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1564 msgid "" "<emphasis>always</emphasis>: Aliases are dereferenced both in searching and " "in locating the base object of the search." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1569 msgid "" "Default: Empty (this is handled as <emphasis>never</emphasis> by the LDAP " "client libraries)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1577 msgid "ldap_rfc2307_fallback_to_local_users (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1580 msgid "" "Allows to retain local users as members of an LDAP group for servers that " "use the RFC2307 schema." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1584 msgid "" "In some environments where the RFC2307 schema is used, local users are made " "members of LDAP groups by adding their names to the memberUid attribute. " "The self-consistency of the domain is compromised when this is done, so SSSD " "would normally remove the \"missing\" users from the cached group " "memberships as soon as nsswitch tries to fetch information about the user " "via getpw*() or initgroups() calls." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1595 msgid "" "This option falls back to checking if local users are referenced, and caches " "them so that later initgroups() calls will augment the local users with the " "additional LDAP groups." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1607 sssd-ifp.5.xml:152 msgid "wildcard_limit (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1610 msgid "" "Specifies an upper limit on the number of entries that are downloaded during " "a wildcard lookup." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1614 msgid "At the moment, only the InfoPipe responder supports wildcard lookups." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1618 msgid "Default: 1000 (often the size of one page)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1624 msgid "ldap_library_debug_level (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1627 msgid "" "Switches on libldap debugging with the given level. The libldap debug " "messages will be written independent of the general debug_level." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1632 msgid "" "OpenLDAP uses a bitmap to enable debugging for specific components, -1 will " "enable full debug output." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1637 msgid "Default: 0 (libldap debugging disabled)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ldap.5.xml:52 msgid "" "All of the common configuration options that apply to SSSD domains also " "apply to LDAP domains. Refer to the <quote>DOMAIN SECTIONS</quote> section " "of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry> manual page for full details. Note " "that SSSD LDAP mapping attributes are described in the <citerefentry> " "<refentrytitle>sssd-ldap-attributes</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry> manual page. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap.5.xml:1647 msgid "SUDO OPTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ldap.5.xml:1649 msgid "" "The detailed instructions for configuration of sudo_provider are in the " "manual page <citerefentry> <refentrytitle>sssd-sudo</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1660 msgid "ldap_sudo_full_refresh_interval (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1663 msgid "" "How many seconds SSSD will wait between executing a full refresh of sudo " "rules (which downloads all rules that are stored on the server)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1668 msgid "" "The value must be greater than <emphasis>ldap_sudo_smart_refresh_interval " "</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1673 msgid "" "You can disable full refresh by setting this option to 0. However, either " "smart or full refresh must be enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1678 msgid "Default: 21600 (6 hours)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1684 msgid "ldap_sudo_smart_refresh_interval (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1687 msgid "" "How many seconds SSSD has to wait before executing a smart refresh of sudo " "rules (which downloads all rules that have USN higher than the highest " "server USN value that is currently known by SSSD)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1693 msgid "" "If USN attributes are not supported by the server, the modifyTimestamp " "attribute is used instead." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1697 msgid "" "<emphasis>Note:</emphasis> the highest USN value can be updated by three " "tasks: 1) By sudo full and smart refresh (if updated rules are found), 2) by " "enumeration of users and groups (if enabled and updated users or groups are " "found) and 3) by reconnecting to the server (by default every 15 minutes, " "see <emphasis>ldap_connection_expire_timeout</emphasis>)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1708 msgid "" "You can disable smart refresh by setting this option to 0. However, either " "smart or full refresh must be enabled." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1719 msgid "ldap_sudo_random_offset (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1722 msgid "" "Random offset between 0 and configured value is added to smart and full " "refresh periods each time the periodic task is scheduled. The value is in " "seconds." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1728 msgid "" "Note that this random offset is also applied on the first SSSD start which " "delays the first sudo rules refresh. This prolongs the time when the sudo " "rules are not available for use." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1734 msgid "You can disable this offset by setting the value to 0." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1744 msgid "ldap_sudo_use_host_filter (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1747 msgid "" "If true, SSSD will download only rules that are applicable to this machine " "(using the IPv4 or IPv6 host/network addresses and hostnames)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1758 msgid "ldap_sudo_hostnames (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1761 msgid "" "Space separated list of hostnames or fully qualified domain names that " "should be used to filter the rules." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1766 msgid "" "If this option is empty, SSSD will try to discover the hostname and the " "fully qualified domain name automatically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1771 sssd-ldap.5.xml:1794 sssd-ldap.5.xml:1812 #: sssd-ldap.5.xml:1830 msgid "" "If <emphasis>ldap_sudo_use_host_filter</emphasis> is " "<emphasis>false</emphasis> then this option has no effect." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1776 sssd-ldap.5.xml:1799 msgid "Default: not specified" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1782 msgid "ldap_sudo_ip (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1785 msgid "" "Space separated list of IPv4 or IPv6 host/network addresses that should be " "used to filter the rules." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1790 msgid "" "If this option is empty, SSSD will try to discover the addresses " "automatically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1805 msgid "ldap_sudo_include_netgroups (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1808 msgid "" "If true then SSSD will download every rule that contains a netgroup in " "sudoHost attribute." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1823 msgid "ldap_sudo_include_regexp (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1826 msgid "" "If true then SSSD will download every rule that contains a wildcard in " "sudoHost attribute." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><note><para> #: sssd-ldap.5.xml:1836 msgid "" "Using wildcard is an operation that is very costly to evaluate on the LDAP " "server side!" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ldap.5.xml:1848 msgid "" "This manual page only describes attribute name mapping. For detailed " "explanation of sudo related attribute semantics, see <citerefentry> " "<refentrytitle>sudoers.ldap</refentrytitle><manvolnum>5</manvolnum> " "</citerefentry>" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap.5.xml:1858 msgid "AUTOFS OPTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ldap.5.xml:1860 msgid "" "Some of the defaults for the parameters below are dependent on the LDAP " "schema." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1866 msgid "ldap_autofs_map_master_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1869 msgid "The name of the automount master map in LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap.5.xml:1872 msgid "Default: auto.master" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap.5.xml:1883 msgid "ADVANCED OPTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1890 msgid "ldap_netgroup_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1895 msgid "ldap_user_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1900 msgid "ldap_group_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><note> #: sssd-ldap.5.xml:1905 msgid "<note>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><note><para> #: sssd-ldap.5.xml:1907 msgid "" "If the option <quote>ldap_use_tokengroups</quote> is enabled, the searches " "against Active Directory will not be restricted and return all groups " "memberships, even with no GID mapping. It is recommended to disable this " "feature, if group names are not being displayed correctly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist> #: sssd-ldap.5.xml:1914 msgid "</note>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1916 msgid "ldap_sudo_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap.5.xml:1921 msgid "ldap_autofs_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ldap.5.xml:1885 msgid "" "These options are supported by LDAP domains, but they should be used with " "caution. Please include them in your configuration only if you know what you " "are doing. <placeholder type=\"variablelist\" id=\"0\"/> <placeholder " "type=\"variablelist\" id=\"1\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap.5.xml:1936 sssd-simple.5.xml:131 sssd-ipa.5.xml:930 #: sssd-ad.5.xml:1391 sssd-krb5.5.xml:483 sss_rpcidmapd.5.xml:98 #: sssd-files.5.xml:155 sssd-session-recording.5.xml:176 msgid "EXAMPLE" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ldap.5.xml:1938 msgid "" "The following example assumes that SSSD is correctly configured and LDAP is " "set to one of the domains in the <replaceable>[domains]</replaceable> " "section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-ldap.5.xml:1944 #, no-wrap msgid "" "[domain/LDAP]\n" "id_provider = ldap\n" "auth_provider = ldap\n" "ldap_uri = ldap://ldap.mydomain.org\n" "ldap_search_base = dc=mydomain,dc=org\n" "ldap_tls_reqcert = demand\n" "cache_credentials = true\n" msgstr "" #. type: Content of: <refsect1><refsect2><para> #: sssd-ldap.5.xml:1943 sssd-ldap.5.xml:1961 sssd-simple.5.xml:139 #: sssd-ipa.5.xml:938 sssd-ad.5.xml:1399 sssd-sudo.5.xml:56 sssd-krb5.5.xml:492 #: sssd-files.5.xml:162 sssd-files.5.xml:173 sssd-session-recording.5.xml:182 #: include/ldap_id_mapping.xml:105 msgid "<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap.5.xml:1955 msgid "LDAP ACCESS FILTER EXAMPLE" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ldap.5.xml:1957 msgid "" "The following example assumes that SSSD is correctly configured and to use " "the ldap_access_order=lockout." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-ldap.5.xml:1962 #, no-wrap msgid "" "[domain/LDAP]\n" "id_provider = ldap\n" "auth_provider = ldap\n" "access_provider = ldap\n" "ldap_access_order = lockout\n" "ldap_pwdlockout_dn = cn=ppolicy,ou=policies,dc=mydomain,dc=org\n" "ldap_uri = ldap://ldap.mydomain.org\n" "ldap_search_base = dc=mydomain,dc=org\n" "ldap_tls_reqcert = demand\n" "cache_credentials = true\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap.5.xml:1977 sssd_krb5_locator_plugin.8.xml:83 sssd-simple.5.xml:148 #: sssd-ad.5.xml:1414 sssd.8.xml:238 sss_seed.8.xml:163 msgid "NOTES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ldap.5.xml:1979 msgid "" "The descriptions of some of the configuration options in this manual page " "are based on the <citerefentry> <refentrytitle>ldap.conf</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry> manual page from the OpenLDAP 2.4 " "distribution." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: pam_sss.8.xml:11 pam_sss.8.xml:16 msgid "pam_sss" msgstr "" #. type: Content of: <reference><refentry><refmeta><manvolnum> #: pam_sss.8.xml:12 pam_sss_gss.8.xml:12 sssd_krb5_locator_plugin.8.xml:11 #: sssd.8.xml:11 sss_obfuscate.8.xml:11 sss_override.8.xml:11 #: sss_cache.8.xml:11 sss_debuglevel.8.xml:11 sss_seed.8.xml:11 #: idmap_sss.8.xml:11 sssctl.8.xml:11 sssd-kcm.8.xml:11 #: sssd_krb5_localauth_plugin.8.xml:11 msgid "8" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: pam_sss.8.xml:17 msgid "PAM module for SSSD" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> #: pam_sss.8.xml:22 msgid "" "<command>pam_sss.so</command> <arg choice='opt'> " "<replaceable>quiet</replaceable> </arg> <arg choice='opt'> " "<replaceable>forward_pass</replaceable> </arg> <arg choice='opt'> " "<replaceable>use_first_pass</replaceable> </arg> <arg choice='opt'> " "<replaceable>use_authtok</replaceable> </arg> <arg choice='opt'> " "<replaceable>retry=N</replaceable> </arg> <arg choice='opt'> " "<replaceable>ignore_unknown_user</replaceable> </arg> <arg choice='opt'> " "<replaceable>ignore_authinfo_unavail</replaceable> </arg> <arg choice='opt'> " "<replaceable>domains=X</replaceable> </arg> <arg choice='opt'> " "<replaceable>allow_missing_name</replaceable> </arg> <arg choice='opt'> " "<replaceable>prompt_always</replaceable> </arg> <arg choice='opt'> " "<replaceable>try_cert_auth</replaceable> </arg> <arg choice='opt'> " "<replaceable>require_cert_auth</replaceable> </arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss.8.xml:64 msgid "" "<command>pam_sss.so</command> is the PAM interface to the System Security " "Services daemon (SSSD). Errors and results are logged through " "<command>syslog(3)</command> with the LOG_AUTHPRIV facility." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: pam_sss.8.xml:70 pam_sss_gss.8.xml:89 sssd.8.xml:42 sss_obfuscate.8.xml:58 #: sss_cache.8.xml:39 sss_seed.8.xml:42 sss_ssh_authorizedkeys.1.xml:123 #: sss_ssh_knownhostsproxy.1.xml:62 msgid "OPTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:74 msgid "<option>quiet</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:77 msgid "Suppress log messages for unknown users." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:82 msgid "<option>forward_pass</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:85 msgid "" "If <option>forward_pass</option> is set the entered password is put on the " "stack for other PAM modules to use." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:92 msgid "<option>use_first_pass</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:95 msgid "" "The argument use_first_pass forces the module to use a previous stacked " "modules password and will never prompt the user - if no password is " "available or the password is not appropriate, the user will be denied " "access." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:103 msgid "<option>use_authtok</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:106 msgid "" "When password changing enforce the module to set the new password to the one " "provided by a previously stacked password module." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:113 msgid "<option>retry=N</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:116 msgid "" "If specified the user is asked another N times for a password if " "authentication fails. Default is 0." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:118 msgid "" "Please note that this option might not work as expected if the application " "calling PAM handles the user dialog on its own. A typical example is " "<command>sshd</command> with <option>PasswordAuthentication</option>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:127 msgid "<option>ignore_unknown_user</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:130 msgid "" "If this option is specified and the user does not exist, the PAM module will " "return PAM_IGNORE. This causes the PAM framework to ignore this module." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:137 msgid "<option>ignore_authinfo_unavail</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:141 msgid "" "Specifies that the PAM module should return PAM_IGNORE if it cannot contact " "the SSSD daemon. This causes the PAM framework to ignore this module." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:148 msgid "<option>domains</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:152 msgid "" "Allows the administrator to restrict the domains a particular PAM service is " "allowed to authenticate against. The format is a comma-separated list of " "SSSD domain names, as specified in the sssd.conf file." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:158 msgid "" "NOTE: If this is used for a service not running as root user, e.g. a " "web-server, it must be used in conjunction with the " "<quote>pam_trusted_users</quote> and <quote>pam_public_domains</quote> " "options. Please see the <citerefentry> " "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry> manual page for more information on these two PAM responder " "options." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:173 msgid "<option>allow_missing_name</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:177 msgid "" "The main purpose of this option is to let SSSD determine the user name based " "on additional information, e.g. the certificate from a Smartcard." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> #: pam_sss.8.xml:187 #, no-wrap msgid "" "auth sufficient pam_sss.so allow_missing_name\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:182 msgid "" "The current use case are login managers which can monitor a Smartcard reader " "for card events. In case a Smartcard is inserted the login manager will call " "a PAM stack which includes a line like <placeholder type=\"programlisting\" " "id=\"0\"/> In this case SSSD will try to determine the user name based on " "the content of the Smartcard, returns it to pam_sss which will finally put " "it on the PAM stack." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:197 msgid "<option>prompt_always</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:201 msgid "" "Always prompt the user for credentials. With this option credentials " "requested by other PAM modules, typically a password, will be ignored and " "pam_sss will prompt for credentials again. Based on the pre-auth reply by " "SSSD pam_sss might prompt for a password, a Smartcard PIN or other " "credentials." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:212 msgid "<option>try_cert_auth</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:216 msgid "" "Try to use certificate based authentication, i.e. authentication with a " "Smartcard or similar devices. If a Smartcard is available and the service is " "allowed for Smartcard authentication the user will be prompted for a PIN and " "the certificate based authentication will continue" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:224 msgid "" "If no Smartcard is available or certificate based authentication is not " "allowed for the current service PAM_AUTHINFO_UNAVAIL is returned." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:232 msgid "<option>require_cert_auth</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:236 msgid "" "Do certificate based authentication, i.e. authentication with a Smartcard " "or similar devices. If a Smartcard is not available the user will be " "prompted to insert one. SSSD will wait for a Smartcard until the timeout " "defined by p11_wait_for_card_timeout passed, please see " "<citerefentry><refentrytitle>sssd.conf</refentrytitle> " "<manvolnum>5</manvolnum></citerefentry> for details." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:246 msgid "" "If no Smartcard is available after the timeout or certificate based " "authentication is not allowed for the current service PAM_AUTHINFO_UNAVAIL " "is returned." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: pam_sss.8.xml:256 pam_sss_gss.8.xml:103 msgid "MODULE TYPES PROVIDED" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss.8.xml:257 msgid "" "All module types (<option>account</option>, <option>auth</option>, " "<option>password</option> and <option>session</option>) are provided." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss.8.xml:260 msgid "" "If SSSD's PAM responder is not running, e.g. if the PAM responder socket is " "not available, pam_sss will return PAM_USER_UNKNOWN when called as " "<option>account</option> module to avoid issues with users from other " "sources during access control." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: pam_sss.8.xml:267 pam_sss_gss.8.xml:108 msgid "RETURN VALUES" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:270 pam_sss_gss.8.xml:111 msgid "PAM_SUCCESS" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:273 pam_sss_gss.8.xml:114 msgid "The PAM operation finished successfully." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:278 pam_sss_gss.8.xml:119 msgid "PAM_USER_UNKNOWN" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:281 msgid "" "The user is not known to the authentication service or the SSSD's PAM " "responder is not running." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:287 pam_sss_gss.8.xml:128 msgid "PAM_AUTH_ERR" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:290 msgid "" "Authentication failure. Also, could be returned when there is a problem with " "getting the certificate." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:296 msgid "PAM_PERM_DENIED" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:299 msgid "" "Permission denied. The SSSD log files may contain additional information " "about the error." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:305 msgid "PAM_IGNORE" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:308 msgid "" "See options <option>ignore_unknown_user</option> and " "<option>ignore_authinfo_unavail</option>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:314 msgid "PAM_AUTHTOK_ERR" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:317 msgid "" "Unable to obtain the new authentication token. Also, could be returned when " "the user authenticates with certificates and multiple certificates are " "available, but the installed version of GDM does not support selection from " "multiple certificates." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:325 pam_sss_gss.8.xml:136 msgid "PAM_AUTHINFO_UNAVAIL" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:328 pam_sss_gss.8.xml:139 msgid "" "Unable to access the authentication information. This might be due to a " "network or hardware failure." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:334 msgid "PAM_BUF_ERR" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:337 msgid "" "A memory error occurred. Also, could be returned when options use_first_pass " "or use_authtok were set, but no password was found from the previously " "stacked PAM module." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:344 pam_sss_gss.8.xml:145 msgid "PAM_SYSTEM_ERR" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:347 pam_sss_gss.8.xml:148 msgid "" "A system error occurred. The SSSD log files may contain additional " "information about the error." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:353 msgid "PAM_CRED_ERR" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:356 msgid "Unable to set the credentials of the user." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:361 msgid "PAM_CRED_INSUFFICIENT" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:364 msgid "" "The application does not have sufficient credentials to authenticate the " "user. For example, missing PIN during smartcard authentication or missing " "factor during two-factor authentication." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:372 msgid "PAM_SERVICE_ERR" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:375 msgid "Error in service module." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:380 msgid "PAM_NEW_AUTHTOK_REQD" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:383 msgid "The user's authentication token has expired." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:388 msgid "PAM_ACCT_EXPIRED" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:391 msgid "The user account has expired." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:396 msgid "PAM_SESSION_ERR" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:399 msgid "Unable to fetch IPA Desktop Profile rules or user info." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:404 msgid "PAM_CRED_UNAVAIL" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:407 msgid "Unable to retrieve Kerberos user credentials." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:412 msgid "PAM_NO_MODULE_DATA" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:415 msgid "" "No authentication method was found by Kerberos. This might happen if the " "user has a Smartcard assigned but the pkint plugin is not available on the " "client." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:422 msgid "PAM_CONV_ERR" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:425 msgid "Conversation failure." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:430 msgid "PAM_AUTHTOK_LOCK_BUSY" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:433 msgid "No KDC suitable for password change is available." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:438 msgid "PAM_ABORT" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:441 msgid "Unknown PAM call." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:446 msgid "PAM_MODULE_UNKNOWN" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:449 msgid "Unsupported PAM task or command." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss.8.xml:454 msgid "PAM_BAD_ITEM" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss.8.xml:457 msgid "The authentication module cannot handle Smartcard credentials." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: pam_sss.8.xml:465 msgid "FILES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss.8.xml:466 msgid "" "If a password reset by root fails, because the corresponding SSSD provider " "does not support password resets, an individual message can be " "displayed. This message can e.g. contain instructions about how to reset a " "password." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss.8.xml:471 msgid "" "The message is read from the file " "<filename>pam_sss_pw_reset_message.LOC</filename> where LOC stands for a " "locale string returned by <citerefentry> " "<refentrytitle>setlocale</refentrytitle><manvolnum>3</manvolnum> " "</citerefentry>. If there is no matching file the content of " "<filename>pam_sss_pw_reset_message.txt</filename> is displayed. Root must be " "the owner of the files and only root may have read and write permissions " "while all other users must have only read permissions." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss.8.xml:481 msgid "" "These files are searched in the directory " "<filename>/etc/sssd/customize/DOMAIN_NAME/</filename>. If no matching file " "is present a generic message is displayed." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: pam_sss_gss.8.xml:11 pam_sss_gss.8.xml:16 msgid "pam_sss_gss" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: pam_sss_gss.8.xml:17 msgid "PAM module for SSSD GSSAPI authentication" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> #: pam_sss_gss.8.xml:22 msgid "" "<command>pam_sss_gss.so</command> <arg choice='opt'> " "<replaceable>debug</replaceable> </arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss_gss.8.xml:32 msgid "" "<command>pam_sss_gss.so</command> authenticates user over GSSAPI in " "cooperation with SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss_gss.8.xml:36 msgid "" "This module will try to authenticate the user using the GSSAPI hostbased " "service name host@hostname which translates to host/hostname@REALM Kerberos " "principal. The <emphasis>REALM</emphasis> part of the Kerberos principal " "name is derived by Kerberos internal mechanisms and it can be set explicitly " "in configuration of [domain_realm] section in /etc/krb5.conf." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss_gss.8.xml:44 msgid "" "SSSD is used to provide desired service name and to validate the user's " "credentials using GSSAPI calls. If the service ticket is already present in " "the Kerberos credentials cache or if user's ticket granting ticket can be " "used to get the correct service ticket then the user will be authenticated." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss_gss.8.xml:51 msgid "" "If <option>pam_gssapi_check_upn</option> is True (default) then SSSD " "requires that the credentials used to obtain the service tickets can be " "associated with the user. This means that the principal that owns the " "Kerberos credentials must match with the user principal name as defined in " "LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss_gss.8.xml:58 msgid "" "To enable GSSAPI authentication in SSSD, set " "<option>pam_gssapi_services</option> option in [pam] or domain section of " "sssd.conf. The service credentials need to be stored in SSSD's keytab (it is " "already present if you use ipa or ad provider). The keytab location can be " "set with <option>krb5_keytab</option> option. See <citerefentry> " "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry> and <citerefentry> <refentrytitle>sssd-krb5</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry> for more details on these options." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss_gss.8.xml:74 msgid "" "Some Kerberos deployments allow to associate authentication indicators with " "a particular pre-authentication method used to obtain the ticket granting " "ticket by the user. <command>pam_sss_gss.so</command> allows to enforce " "presence of authentication indicators in the service tickets before a " "particular PAM service can be accessed." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss_gss.8.xml:82 msgid "" "If <option>pam_gssapi_indicators_map</option> is set in the [pam] or domain " "section of sssd.conf, then SSSD will perform a check of the presence of any " "configured indicators in the service ticket." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: pam_sss_gss.8.xml:93 msgid "<option>debug</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss_gss.8.xml:96 msgid "Print debugging information." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss_gss.8.xml:104 msgid "Only the <option>auth</option> module type is provided." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss_gss.8.xml:122 msgid "" "The user is not known to the authentication service or the GSSAPI " "authentication is not supported." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: pam_sss_gss.8.xml:131 msgid "Authentication failure." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss_gss.8.xml:159 msgid "" "The main use case is to provide password-less authentication in sudo but " "without the need to disable authentication completely. To achieve this, " "first enable GSSAPI authentication for sudo in sssd.conf:" msgstr "" #. type: Content of: <reference><refentry><refsect1><programlisting> #: pam_sss_gss.8.xml:165 #, no-wrap msgid "" "[domain/MYDOMAIN]\n" "pam_gssapi_services = sudo, sudo-i\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss_gss.8.xml:169 msgid "" "And then enable the module in desired PAM stack (e.g. /etc/pam.d/sudo and " "/etc/pam.d/sudo-i)." msgstr "" #. type: Content of: <reference><refentry><refsect1><programlisting> #: pam_sss_gss.8.xml:173 #, no-wrap msgid "" "...\n" "auth sufficient pam_sss_gss.so\n" "...\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: pam_sss_gss.8.xml:180 msgid "TROUBLESHOOTING" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss_gss.8.xml:182 msgid "" "SSSD logs, pam_sss_gss debug output and syslog may contain helpful " "information about the error. Here are some common issues:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss_gss.8.xml:186 msgid "" "1. I have KRB5CCNAME environment variable set and the authentication does " "not work: Depending on your sudo version, it is possible that sudo does not " "pass this variable to the PAM environment. Try adding KRB5CCNAME to " "<option>env_keep</option> in /etc/sudoers or in your LDAP sudo rules default " "options." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss_gss.8.xml:193 msgid "" "2. Authentication does not work and syslog contains \"Server not found in " "Kerberos database\": Kerberos is probably not able to resolve correct realm " "for the service ticket based on the hostname. Try adding the hostname " "directly to <option>[domain_realm]</option> in /etc/krb5.conf like so:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss_gss.8.xml:200 msgid "" "3. Authentication does not work and syslog contains \"No Kerberos " "credentials available\": You don't have any credentials that can be used to " "obtain the required service ticket. Use kinit or authenticate over SSSD to " "acquire those credentials." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: pam_sss_gss.8.xml:206 msgid "" "4. Authentication does not work and SSSD sssd-pam log contains \"User with " "UPN [$UPN] was not found.\" or \"UPN [$UPN] does not match target user " "[$username].\": You are using credentials that can not be mapped to the user " "that is being authenticated. Try to use kswitch to select different " "principal, make sure you authenticated with SSSD or consider disabling " "<option>pam_gssapi_check_upn</option>." msgstr "" #. type: Content of: <reference><refentry><refsect1><programlisting> #: pam_sss_gss.8.xml:214 #, no-wrap msgid "" "[domain_realm]\n" ".myhostname = MYREALM\n" " " msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssd_krb5_locator_plugin.8.xml:10 sssd_krb5_locator_plugin.8.xml:15 msgid "sssd_krb5_locator_plugin" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sssd_krb5_locator_plugin.8.xml:16 msgid "Kerberos locator plugin" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd_krb5_locator_plugin.8.xml:22 msgid "" "The Kerberos locator plugin <command>sssd_krb5_locator_plugin</command> is " "used by libkrb5 to find KDCs for a given Kerberos realm. SSSD provides such " "a plugin to guide all Kerberos clients on a system to a single KDC. In " "general it should not matter to which KDC a client process is talking to. " "But there are cases, e.g. after a password change, where not all KDCs are in " "the same state because the new data has to be replicated first. To avoid " "unexpected authentication failures and maybe even account lockings it would " "be good to talk to a single KDC as long as possible." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd_krb5_locator_plugin.8.xml:34 msgid "" "libkrb5 will search the locator plugin in the libkrb5 sub-directory of the " "Kerberos plugin directory, see plugin_base_dir in <citerefentry> " "<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry> for details. The plugin can only be disabled by removing the " "plugin file. There is no option in the Kerberos configuration to disable " "it. But the SSSD_KRB5_LOCATOR_DISABLE environment variable can be used to " "disable the plugin for individual commands. Alternatively the SSSD option " "krb5_use_kdcinfo=False can be used to not generate the data needed by the " "plugin. With this the plugin is still called but will provide no data to the " "caller so that libkrb5 can fall back to other methods defined in krb5.conf." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd_krb5_locator_plugin.8.xml:50 msgid "" "The plugin reads the information about the KDCs of a given realm from a file " "called <filename>kdcinfo.REALM</filename>. The file should contain one or " "more DNS names or IP addresses either in dotted-decimal IPv4 notation or the " "hexadecimal IPv6 notation. An optional port number can be added to the end " "separated with a colon, the IPv6 address has to be enclosed in squared " "brackets in this case as usual. Valid entries are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd_krb5_locator_plugin.8.xml:58 msgid "kdc.example.com" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd_krb5_locator_plugin.8.xml:59 msgid "kdc.example.com:321" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd_krb5_locator_plugin.8.xml:60 msgid "1.2.3.4" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd_krb5_locator_plugin.8.xml:61 msgid "5.6.7.8:99" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd_krb5_locator_plugin.8.xml:62 msgid "2001:db8:85a3::8a2e:370:7334" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd_krb5_locator_plugin.8.xml:63 msgid "[2001:db8:85a3::8a2e:370:7334]:321" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd_krb5_locator_plugin.8.xml:65 msgid "" "SSSD's krb5 auth-provider which is used by the IPA and AD providers as well " "adds the address of the current KDC or domain controller SSSD is using to " "this file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd_krb5_locator_plugin.8.xml:70 msgid "" "In environments with read-only and read-write KDCs where clients are " "expected to use the read-only instances for the general operations and only " "the read-write KDC for config changes like password changes a " "<filename>kpasswdinfo.REALM</filename> is used as well to identify " "read-write KDCs. If this file exists for the given realm the content will be " "used by the plugin to reply to requests for a kpasswd or kadmin server or " "for the MIT Kerberos specific master KDC. If the address contains a port " "number the default KDC port 88 will be used for the latter." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd_krb5_locator_plugin.8.xml:85 msgid "" "Not all Kerberos implementations support the use of plugins. If " "<command>sssd_krb5_locator_plugin</command> is not available on your system " "you have to edit /etc/krb5.conf to reflect your Kerberos setup." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd_krb5_locator_plugin.8.xml:91 msgid "" "If the environment variable SSSD_KRB5_LOCATOR_DEBUG is set to any value " "debug messages will be sent to stderr." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd_krb5_locator_plugin.8.xml:95 msgid "" "If the environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value " "the plugin is disabled and will just return KRB5_PLUGIN_NO_HANDLE to the " "caller." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd_krb5_locator_plugin.8.xml:100 msgid "" "If the environment variable SSSD_KRB5_LOCATOR_IGNORE_DNS_FAILURES is set to " "any value plugin will try to resolve all DNS names in kdcinfo file. By " "default plugin returns KRB5_PLUGIN_NO_HANDLE to the caller immediately on " "first DNS resolving failure." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssd-simple.5.xml:10 sssd-simple.5.xml:16 msgid "sssd-simple" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sssd-simple.5.xml:17 msgid "the configuration file for SSSD's 'simple' access-control provider" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-simple.5.xml:24 msgid "" "This manual page describes the configuration of the simple access-control " "provider for <citerefentry> <refentrytitle>sssd</refentrytitle> " "<manvolnum>8</manvolnum> </citerefentry>. For a detailed syntax reference, " "refer to the <quote>FILE FORMAT</quote> section of the <citerefentry> " "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-simple.5.xml:38 msgid "" "The simple access provider grants or denies access based on an access or " "deny list of user or group names. The following rules apply:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd-simple.5.xml:43 msgid "If all lists are empty, access is granted" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd-simple.5.xml:47 msgid "" "If any list is provided, the order of evaluation is allow,deny. This means " "that any matching deny rule will supersede any matched allow rule." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd-simple.5.xml:54 msgid "" "If either or both \"allow\" lists are provided, all users are denied unless " "they appear in the list." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd-simple.5.xml:60 msgid "" "If only \"deny\" lists are provided, all users are granted access unless " "they appear in the list." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-simple.5.xml:78 msgid "simple_allow_users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-simple.5.xml:81 msgid "Comma separated list of users who are allowed to log in." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-simple.5.xml:88 msgid "simple_deny_users (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-simple.5.xml:91 msgid "Comma separated list of users who are explicitly denied access." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-simple.5.xml:97 msgid "simple_allow_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-simple.5.xml:100 msgid "" "Comma separated list of groups that are allowed to log in. This applies only " "to groups within this SSSD domain. Local groups are not evaluated." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-simple.5.xml:108 msgid "simple_deny_groups (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-simple.5.xml:111 msgid "" "Comma separated list of groups that are explicitly denied access. This " "applies only to groups within this SSSD domain. Local groups are not " "evaluated." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-simple.5.xml:70 sssd-ipa.5.xml:83 sssd-ad.5.xml:131 msgid "" "Refer to the section <quote>DOMAIN SECTIONS</quote> of the <citerefentry> " "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry> manual page for details on the configuration of an SSSD " "domain. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-simple.5.xml:120 msgid "" "Specifying no values for any of the lists is equivalent to skipping it " "entirely. Beware of this while generating parameters for the simple provider " "using automated scripts." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-simple.5.xml:125 msgid "" "Please note that it is an configuration error if both, simple_allow_users " "and simple_deny_users, are defined." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-simple.5.xml:133 msgid "" "The following example assumes that SSSD is correctly configured and " "example.com is one of the domains in the <replaceable>[sssd]</replaceable> " "section. This examples shows only the simple access provider-specific " "options." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-simple.5.xml:140 #, no-wrap msgid "" "[domain/example.com]\n" "access_provider = simple\n" "simple_allow_users = user1, user2\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-simple.5.xml:150 msgid "" "The complete group membership hierarchy is resolved before the access check, " "thus even nested groups can be included in the access lists. Please be " "aware that the <quote>ldap_group_nesting_level</quote> option may impact the " "results and should be set to a sufficient value. (<citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> " "</citerefentry>) option." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sss-certmap.5.xml:10 sss-certmap.5.xml:16 msgid "sss-certmap" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sss-certmap.5.xml:17 msgid "SSSD Certificate Matching and Mapping Rules" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss-certmap.5.xml:23 msgid "" "The manual page describes the rules which can be used by SSSD and other " "components to match X.509 certificates and map them to accounts." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss-certmap.5.xml:28 msgid "" "Each rule has four components, a <quote>priority</quote>, a <quote>matching " "rule</quote>, a <quote>mapping rule</quote> and a <quote>domain " "list</quote>. All components are optional. A missing <quote>priority</quote> " "will add the rule with the lowest priority. The default <quote>matching " "rule</quote> will match certificates with the digitalSignature key usage and " "clientAuth extended key usage. If the <quote>mapping rule</quote> is empty " "the certificates will be searched in the userCertificate attribute as DER " "encoded binary. If no domains are given only the local domain will be " "searched." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss-certmap.5.xml:39 msgid "" "To allow extensions or completely different style of rule the " "<quote>mapping</quote> and <quote>matching rules</quote> can contain a " "prefix separated with a ':' from the main part of the rule. The prefix may " "only contain upper-case ASCII letters and numbers. If the prefix is omitted " "the default type will be used which is 'KRB5' for the matching rules and " "'LDAP' for the mapping rules." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss-certmap.5.xml:48 msgid "" "The 'sssctl' utility provides the 'cert-eval-rule' command to check if a " "given certificate matches a matching rules and how the output of a mapping " "rule would look like." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sss-certmap.5.xml:55 msgid "RULE COMPONENTS" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sss-certmap.5.xml:57 msgid "PRIORITY" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss-certmap.5.xml:59 msgid "" "The rules are processed by priority while the number '0' (zero) indicates " "the highest priority. The higher the number the lower is the priority. A " "missing value indicates the lowest priority. The rules processing is stopped " "when a matched rule is found and no further rules are checked." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss-certmap.5.xml:66 msgid "" "Internally the priority is treated as unsigned 32bit integer, using a " "priority value larger than 4294967295 will cause an error." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss-certmap.5.xml:70 msgid "" "If multiple rules have the same priority and only one of the related " "matching rules applies, this rule will be chosen. If there are multiple " "rules with the same priority which matches, one is chosen but which one is " "undefined. To avoid this undefined behavior either use different priorities " "or make the matching rules more specific e.g. by using distinct " "<ISSUER> patterns." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sss-certmap.5.xml:79 msgid "MATCHING RULE" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss-certmap.5.xml:81 msgid "" "The matching rule is used to select a certificate to which the mapping rule " "should be applied. It uses a system similar to the one used by " "<quote>pkinit_cert_match</quote> option of MIT Kerberos. It consists of a " "keyword enclosed by '<' and '>' which identified a certain part of the " "certificate and a pattern which should be found for the rule to " "match. Multiple keyword pattern pairs can be either joined with '&&' " "(and) or '||' (or)." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss-certmap.5.xml:90 msgid "" "Given the similarity to MIT Kerberos the type prefix for this rule is " "'KRB5'. But 'KRB5' will also be the default for <quote>matching " "rules</quote> so that \"<SUBJECT>.*,DC=MY,DC=DOMAIN\" and " "\"KRB5:<SUBJECT>.*,DC=MY,DC=DOMAIN\" are equivalent." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:99 msgid "<SUBJECT>regular-expression" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:102 msgid "" "With this a part or the whole subject name of the certificate can be " "matched. For the matching POSIX Extended Regular Expression syntax is used, " "see regex(7) for details." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:108 msgid "" "For the matching the subject name stored in the certificate in DER encoded " "ASN.1 is converted into a string according to RFC 4514. This means the most " "specific name component comes first. Please note that not all possible " "attribute names are covered by RFC 4514. The names included are 'CN', 'L', " "'ST', 'O', 'OU', 'C', 'STREET', 'DC' and 'UID'. Other attribute names might " "be shown differently on different platform and by different tools. To avoid " "confusion those attribute names are best not used or covered by a suitable " "regular-expression." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:121 msgid "Example: <SUBJECT>.*,DC=MY,DC=DOMAIN" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:124 msgid "" "Please note that the characters \"^.[$()|*+?{\\\" have a special meaning in " "regular expressions and must be escaped with the help of the '\\' character " "so that they are matched as ordinary characters." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:130 msgid "Example: <SUBJECT>^CN=.* \\(Admin\\),DC=MY,DC=DOMAIN$" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:135 msgid "<ISSUER>regular-expression" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:138 msgid "" "With this a part or the whole issuer name of the certificate can be " "matched. All comments for <SUBJECT> apply her as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:143 msgid "Example: <ISSUER>^CN=My-CA,DC=MY,DC=DOMAIN$" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:148 msgid "<KU>key-usage" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:151 msgid "" "This option can be used to specify which key usage values the certificate " "should have. The following values can be used in a comma separated list:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:155 msgid "digitalSignature" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:156 msgid "nonRepudiation" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:157 msgid "keyEncipherment" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:158 msgid "dataEncipherment" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:159 msgid "keyAgreement" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:160 msgid "keyCertSign" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:161 msgid "cRLSign" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:162 msgid "encipherOnly" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:163 msgid "decipherOnly" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:167 msgid "" "A numerical value in the range of a 32bit unsigned integer can be used as " "well to cover special use cases." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:171 msgid "Example: <KU>digitalSignature,keyEncipherment" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:176 msgid "<EKU>extended-key-usage" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:179 msgid "" "This option can be used to specify which extended key usage the certificate " "should have. The following value can be used in a comma separated list:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:183 msgid "serverAuth" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:184 msgid "clientAuth" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:185 msgid "codeSigning" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:186 msgid "emailProtection" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:187 msgid "timeStamping" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:188 msgid "OCSPSigning" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:189 msgid "KPClientAuth" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:190 msgid "pkinit" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sss-certmap.5.xml:191 msgid "msScLogin" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:195 msgid "" "Extended key usages which are not listed above can be specified with their " "OID in dotted-decimal notation." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:199 msgid "Example: <EKU>clientAuth,1.3.6.1.5.2.3.4" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:204 msgid "<SAN>regular-expression" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:207 msgid "" "To be compatible with the usage of MIT Kerberos this option will match the " "Kerberos principals in the PKINIT or AD NT Principal SAN as " "<SAN:Principal> does." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:212 msgid "Example: <SAN>.*@MY\\.REALM" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:217 msgid "<SAN:Principal>regular-expression" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:220 msgid "Match the Kerberos principals in the PKINIT or AD NT Principal SAN." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:224 msgid "Example: <SAN:Principal>.*@MY\\.REALM" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:229 msgid "<SAN:ntPrincipalName>regular-expression" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:232 msgid "Match the Kerberos principals from the AD NT Principal SAN." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:236 msgid "Example: <SAN:ntPrincipalName>.*@MY.AD.REALM" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:241 msgid "<SAN:pkinit>regular-expression" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:244 msgid "Match the Kerberos principals from the PKINIT SAN." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:247 msgid "Example: <SAN:ntPrincipalName>.*@MY\\.PKINIT\\.REALM" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:252 msgid "<SAN:dotted-decimal-oid>regular-expression" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:255 msgid "" "Take the value of the otherName SAN component given by the OID in " "dotted-decimal notation, interpret it as string and try to match it against " "the regular expression." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:261 msgid "Example: <SAN:1.2.3.4>test" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:266 msgid "<SAN:otherName>base64-string" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:269 msgid "" "Do a binary match with the base64 encoded blob against all otherName SAN " "components. With this option it is possible to match against custom " "otherName components with special encodings which could not be treated as " "strings." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:276 msgid "Example: <SAN:otherName>MTIz" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:281 msgid "<SAN:rfc822Name>regular-expression" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:284 msgid "Match the value of the rfc822Name SAN." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:287 msgid "Example: <SAN:rfc822Name>.*@email\\.domain" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:292 msgid "<SAN:dNSName>regular-expression" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:295 msgid "Match the value of the dNSName SAN." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:298 msgid "Example: <SAN:dNSName>.*\\.my\\.dns\\.domain" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:303 msgid "<SAN:x400Address>base64-string" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:306 msgid "Binary match the value of the x400Address SAN." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:309 msgid "Example: <SAN:x400Address>MTIz" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:314 msgid "<SAN:directoryName>regular-expression" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:317 msgid "" "Match the value of the directoryName SAN. The same comments as given for " "<ISSUER> and <SUBJECT> apply here as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:322 msgid "Example: <SAN:directoryName>.*,DC=com" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:327 msgid "<SAN:ediPartyName>base64-string" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:330 msgid "Binary match the value of the ediPartyName SAN." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:333 msgid "Example: <SAN:ediPartyName>MTIz" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:338 msgid "<SAN:uniformResourceIdentifier>regular-expression" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:341 msgid "Match the value of the uniformResourceIdentifier SAN." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:344 msgid "Example: <SAN:uniformResourceIdentifier>URN:.*" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:349 msgid "<SAN:iPAddress>regular-expression" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:352 msgid "Match the value of the iPAddress SAN." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:355 msgid "Example: <SAN:iPAddress>192\\.168\\..*" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:360 msgid "<SAN:registeredID>regular-expression" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:363 msgid "Match the value of the registeredID SAN as dotted-decimal string." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:367 msgid "Example: <SAN:registeredID>1\\.2\\.3\\..*" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss-certmap.5.xml:96 msgid "The available options are: <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sss-certmap.5.xml:375 msgid "MAPPING RULE" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss-certmap.5.xml:377 msgid "" "The mapping rule is used to associate a certificate with one or more " "accounts. A Smartcard with the certificate and the matching private key can " "then be used to authenticate as one of those accounts." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss-certmap.5.xml:382 msgid "" "Currently SSSD basically only supports LDAP to lookup user information (the " "exception is the proxy provider which is not of relevance here). Because of " "this the mapping rule is based on LDAP search filter syntax with templates " "to add certificate content to the filter. It is expected that the filter " "will only contain the specific data needed for the mapping and that the " "caller will embed it in another filter to do the actual search. Because of " "this the filter string should start and stop with '(' and ')' respectively." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss-certmap.5.xml:392 msgid "" "In general it is recommended to use attributes from the certificate and add " "them to special attributes to the LDAP user object. E.g. the " "'altSecurityIdentities' attribute in AD or the 'ipaCertMapData' attribute " "for IPA can be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss-certmap.5.xml:398 msgid "" "This should be preferred to read user specific data from the certificate " "like e.g. an email address and search for it in the LDAP server. The reason " "is that the user specific data in LDAP might change for various reasons " "would break the mapping. On the other hand it would be hard to break the " "mapping on purpose for a specific user." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss-certmap.5.xml:406 msgid "" "The default <quote>mapping rule</quote> type is 'LDAP' which can be added as " "a prefix to a rule like e.g. " "'LDAP:(userCertificate;binary={cert!bin})'. There is an extension called " "'LDAPU1' which offer more templates for more flexibility. To allow older " "versions of this library to ignore the extension the prefix 'LDAPU1' must be " "used when using the new templates in a <quote>mapping rule</quote> otherwise " "the old version of this library will fail with a parsing error. The new " "templates are described in section <xref linkend=\"map_ldapu1\"/>." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:424 msgid "{issuer_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:427 msgid "" "This template will add the full issuer DN converted to a string according to " "RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " "the '_x500' prefix should be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:433 sss-certmap.5.xml:459 msgid "" "The conversion options starting with 'ad_' will use attribute names as used " "by AD, e.g. 'S' instead of 'ST'." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:437 sss-certmap.5.xml:463 msgid "" "The conversion options starting with 'nss_' will use attribute names as used " "by NSS." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:441 sss-certmap.5.xml:467 msgid "" "The default conversion option is 'nss', i.e. attribute names according to " "NSS and LDAP/RFC 4514 ordering." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:445 msgid "" "Example: " "(ipacertmapdata=X509:<I>{issuer_dn!ad}<S>{subject_dn!ad})" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:450 msgid "{subject_dn[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:453 msgid "" "This template will add the full subject DN converted to string according to " "RFC 4514. If X.500 ordering (most specific RDN comes last) an option with " "the '_x500' prefix should be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:471 msgid "" "Example: " "(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500})" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:476 msgid "{cert[!(bin|base64)]}" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:479 msgid "" "This template will add the whole DER encoded certificate as a string to the " "search filter. Depending on the conversion option the binary certificate is " "either converted to an escaped hex sequence '\\xx' or base64. The escaped " "hex sequence is the default and can e.g. be used with the LDAP attribute " "'userCertificate;binary'." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:487 msgid "Example: (userCertificate;binary={cert!bin})" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:492 msgid "{subject_principal[.short_name]}" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:495 msgid "" "This template will add the Kerberos principal which is taken either from the " "SAN used by pkinit or the one used by AD. The 'short_name' component " "represents the first part of the principal before the '@' sign." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:501 msgid "" "Example: " "(|(userPrincipal={subject_principal})(samAccountName={subject_principal.short_name}))" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:506 msgid "{subject_pkinit_principal[.short_name]}" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:509 msgid "" "This template will add the Kerberos principal which is given by the SAN used " "by pkinit. The 'short_name' component represents the first part of the " "principal before the '@' sign." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:515 msgid "" "Example: " "(|(userPrincipal={subject_pkinit_principal})(uid={subject_pkinit_principal.short_name}))" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:520 msgid "{subject_nt_principal[.short_name]}" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:523 msgid "" "This template will add the Kerberos principal which is given by the SAN used " "by AD. The 'short_name' component represent the first part of the principal " "before the '@' sign." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:529 msgid "" "Example: " "(|(userPrincipalName={subject_nt_principal})(samAccountName={subject_nt_principal.short_name}))" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:534 msgid "{subject_rfc822_name[.short_name]}" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:537 msgid "" "This template will add the string which is stored in the rfc822Name " "component of the SAN, typically an email address. The 'short_name' component " "represents the first part of the address before the '@' sign." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:543 msgid "" "Example: " "(|(mail={subject_rfc822_name})(uid={subject_rfc822_name.short_name}))" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:548 msgid "{subject_dns_name[.short_name]}" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:551 msgid "" "This template will add the string which is stored in the dNSName component " "of the SAN, typically a fully-qualified host name. The 'short_name' " "component represents the first part of the name before the first '.' sign." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:557 msgid "Example: (|(fqdn={subject_dns_name})(host={subject_dns_name.short_name}))" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:562 msgid "{subject_uri}" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:565 msgid "" "This template will add the string which is stored in the " "uniformResourceIdentifier component of the SAN." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:569 msgid "Example: (uri={subject_uri})" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:574 msgid "{subject_ip_address}" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:577 msgid "" "This template will add the string which is stored in the iPAddress component " "of the SAN." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:581 msgid "Example: (ip={subject_ip_address})" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:586 msgid "{subject_x400_address}" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:589 msgid "" "This template will add the value which is stored in the x400Address " "component of the SAN as escaped hex sequence." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:594 msgid "Example: (attr:binary={subject_x400_address})" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:599 msgid "{subject_directory_name[!((ad|ad_x500)|ad_ldap|nss_x500|(nss|nss_ldap))]}" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:602 msgid "" "This template will add the DN string of the value which is stored in the " "directoryName component of the SAN." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:606 msgid "Example: (orig_dn={subject_directory_name})" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:611 msgid "{subject_ediparty_name}" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:614 msgid "" "This template will add the value which is stored in the ediPartyName " "component of the SAN as escaped hex sequence." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:619 msgid "Example: (attr:binary={subject_ediparty_name})" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:624 msgid "{subject_registered_id}" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:627 msgid "" "This template will add the OID which is stored in the registeredID component " "of the SAN as a dotted-decimal string." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:632 msgid "Example: (oid={subject_registered_id})" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss-certmap.5.xml:417 msgid "" "The templates to add certificate data to the search filter are based on " "Python-style formatting strings. They consist of a keyword in curly braces " "with an optional sub-component specifier separated by a '.' or an optional " "conversion/formatting option separated by a '!'. Allowed values are: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><title> #: sss-certmap.5.xml:639 msgid "LDAPU1 extension" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para> #: sss-certmap.5.xml:641 msgid "The following template are available when using the 'LDAPU1' extension:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:647 msgid "{serial_number[!(dec|hex[_ucr])]}" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:650 msgid "" "This template will add the serial number of the certificate. By default it " "will be printed as a hexadecimal number with lower-case letters." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:655 msgid "" "With the formatting option '!dec' the number will be printed as decimal " "string. The hexadecimal output can be printed with upper-case letters " "('!hex_u'), with a colon separating the hexadecimal bytes ('!hex_c') or with " "the hexadecimal bytes in reverse order ('!hex_r'). The postfix letters can " "be combined so that e.g. '!hex_uc' will produce a colon-separated " "hexadecimal string with upper-case letters." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:665 msgid "Example: LDAPU1:(serial={serial_number})" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:671 msgid "{subject_key_id[!hex[_ucr]]}" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:674 msgid "" "This template will add the subject key id of the certificate. By default it " "will be printed as a hexadecimal number with lower-case letters." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:679 msgid "" "The hexadecimal output can be printed with upper-case letters ('!hex_u'), " "with a colon separating the hexadecimal bytes ('!hex_c') or with the " "hexadecimal bytes in reverse order ('!hex_r'). The postfix letters can be " "combined so that e.g. '!hex_uc' will produce a colon-separated hexadecimal " "string with upper-case letters." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:688 msgid "Example: LDAPU1:(ski={subject_key_id})" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:694 msgid "{cert[!DIGEST[_ucr]]}" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:697 msgid "" "This template will add the hexadecimal digest/hash of the certificate where " "DIGEST must be replaced with the name of a digest/hash function supported by " "OpenSSL, e.g. 'sha512'." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:703 msgid "" "The hexadecimal output can be printed with upper-case letters ('!sha512_u'), " "with a colon separating the hexadecimal bytes ('!sha512_c') or with the " "hexadecimal bytes in reverse order ('!sha512_r'). The postfix letters can be " "combined so that e.g. '!sha512_uc' will produce a colon-separated " "hexadecimal string with upper-case letters." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:712 msgid "Example: LDAPU1:(dgst={cert!sha256})" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:718 msgid "{subject_dn_component[(.attr_name|[number]]}" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:721 msgid "" "This template will add an attribute value of a component of the subject DN, " "by default the value of the most specific component." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:726 msgid "" "A different component can it either selected by attribute name, " "e.g. {subject_dn_component.uid} or by position, " "e.g. {subject_dn_component.[2]} where positive numbers start counting from " "the most specific component and negative numbers start counting from the " "least specific component. Attribute name and the position can be combined as " "e.g. {subject_dn_component.uid[2]} which means that the name of the second " "component must be 'uid'." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:737 msgid "Example: LDAPU1:(uid={subject_dn_component.uid})" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:743 msgid "{issuer_dn_component[(.attr_name|[number]]}" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:746 msgid "" "This template will add an attribute value of a component of the issuer DN, " "by default the value of the most specific component." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:751 msgid "" "See 'subject_dn_component' for details about the attribute name and position " "specifiers." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:755 msgid "" "Example: " "LDAPU1:(domain={issuer_dn_component.[-2]}.{issuer_dn_component.dc[-1]})" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><term> #: sss-certmap.5.xml:760 msgid "{sid[.rid]}" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:763 msgid "" "This template will add the SID if the corresponding extension introduced by " "Microsoft with the OID 1.3.6.1.4.1.311.25.2 is available. With the '.rid' " "selector only the last component, i.e. the RID, will be added." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><refsect3><para><variablelist><varlistentry><listitem><para> #: sss-certmap.5.xml:770 msgid "Example: LDAPU1:(objectsid={sid})" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sss-certmap.5.xml:779 msgid "DOMAIN LIST" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss-certmap.5.xml:781 msgid "" "If the domain list is not empty users mapped to a given certificate are not " "only searched in the local domain but in the listed domains as well as long " "as they are know by SSSD. Domains not know to SSSD will be ignored." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssd-ipa.5.xml:10 sssd-ipa.5.xml:16 msgid "sssd-ipa" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sssd-ipa.5.xml:17 msgid "SSSD IPA provider" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ipa.5.xml:23 msgid "" "This manual page describes the configuration of the IPA provider for " "<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " "</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " "FORMAT</quote> section of the <citerefentry> " "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ipa.5.xml:36 msgid "" "The IPA provider is a back end used to connect to an IPA server. (Refer to " "the freeipa.org web site for information about IPA servers.) This provider " "requires that the machine be joined to the IPA domain; configuration is " "almost entirely self-discovered and obtained directly from the server." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ipa.5.xml:43 msgid "" "The IPA provider enables SSSD to use the <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry> identity provider and the <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry> authentication provider with optimizations for IPA " "environments. The IPA provider accepts the same options used by the " "sssd-ldap and sssd-krb5 providers with some exceptions. However, it is " "neither necessary nor recommended to set these options." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ipa.5.xml:57 msgid "" "The IPA provider primarily copies the traditional ldap and krb5 provider " "default options with some exceptions, the differences are listed in the " "<quote>MODIFIED DEFAULT OPTIONS</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ipa.5.xml:62 msgid "" "As an access provider, the IPA provider has a minimal configuration (see " "<quote>ipa_access_order</quote>) as it mainly uses HBAC (host-based access " "control) rules. Please refer to freeipa.org for more information about HBAC." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ipa.5.xml:68 msgid "" "If <quote>auth_provider=ipa</quote> or <quote>access_provider=ipa</quote> is " "configured in sssd.conf then the id_provider must also be set to " "<quote>ipa</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ipa.5.xml:74 msgid "" "The IPA provider will use the PAC responder if the Kerberos tickets of users " "from trusted realms contain a PAC. To make configuration easier the PAC " "responder is started automatically if the IPA ID provider is configured." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:90 msgid "ipa_domain (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:93 msgid "" "Specifies the name of the IPA domain. This is optional. If not provided, " "the configuration domain name is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:101 msgid "ipa_server, ipa_backup_server (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:104 msgid "" "The comma-separated list of IP addresses or hostnames of the IPA servers to " "which SSSD should connect in the order of preference. For more information " "on failover and server redundancy, see the <quote>FAILOVER</quote> section. " "This is optional if autodiscovery is enabled. For more information on " "service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:117 msgid "ipa_hostname (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:120 msgid "" "Optional. May be set on machines where the hostname(5) does not reflect the " "fully qualified name used in the IPA domain to identify this host. The " "hostname must be fully qualified." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:129 sssd-ad.5.xml:1181 msgid "dyndns_update (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:132 msgid "" "Optional. This option tells SSSD to automatically update the DNS server " "built into FreeIPA with the IP address of this client. The update is secured " "using GSS-TSIG. The IP address of the IPA LDAP connection is used for the " "updates, if it is not otherwise specified by using the " "<quote>dyndns_iface</quote> option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:141 sssd-ad.5.xml:1195 msgid "" "NOTE: On older systems (such as RHEL 5), for this behavior to work reliably, " "the default Kerberos realm must be set properly in /etc/krb5.conf" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:146 msgid "" "NOTE: While it is still possible to use the old " "<emphasis>ipa_dyndns_update</emphasis> option, users should migrate to using " "<emphasis>dyndns_update</emphasis> in their config file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:158 sssd-ad.5.xml:1206 msgid "dyndns_ttl (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:161 sssd-ad.5.xml:1209 msgid "" "The TTL to apply to the client DNS record when updating it. If " "dyndns_update is false this has no effect. This will override the TTL " "serverside if set by an administrator." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:166 msgid "" "NOTE: While it is still possible to use the old " "<emphasis>ipa_dyndns_ttl</emphasis> option, users should migrate to using " "<emphasis>dyndns_ttl</emphasis> in their config file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:172 msgid "Default: 1200 (seconds)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:178 sssd-ad.5.xml:1220 msgid "dyndns_iface (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:181 sssd-ad.5.xml:1223 msgid "" "Optional. Applicable only when dyndns_update is true. Choose the interface " "or a list of interfaces whose IP addresses should be used for dynamic DNS " "updates. Special value <quote>*</quote> implies that IPs from all interfaces " "should be used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:188 msgid "" "NOTE: While it is still possible to use the old " "<emphasis>ipa_dyndns_iface</emphasis> option, users should migrate to using " "<emphasis>dyndns_iface</emphasis> in their config file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:194 msgid "" "Default: Use the IP addresses of the interface which is used for IPA LDAP " "connection" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:198 sssd-ad.5.xml:1234 msgid "Example: dyndns_iface = em1, vnet1, vnet2" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:204 sssd-ad.5.xml:1290 msgid "dyndns_auth (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:207 sssd-ad.5.xml:1293 msgid "" "Whether the nsupdate utility should use GSS-TSIG authentication for secure " "updates with the DNS server, insecure updates can be sent by setting this " "option to 'none'." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:213 sssd-ad.5.xml:1299 msgid "Default: GSS-TSIG" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:219 sssd-ad.5.xml:1305 msgid "dyndns_auth_ptr (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:222 sssd-ad.5.xml:1308 msgid "" "Whether the nsupdate utility should use GSS-TSIG authentication for secure " "PTR updates with the DNS server, insecure updates can be sent by setting " "this option to 'none'." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:228 sssd-ad.5.xml:1314 msgid "Default: Same as dyndns_auth" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:234 msgid "ipa_enable_dns_sites (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:237 sssd-ad.5.xml:238 msgid "Enables DNS sites - location based service discovery." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:241 msgid "" "If true and service discovery (see Service Discovery paragraph at the bottom " "of the man page) is enabled, then the SSSD will first attempt location " "based discovery using a query that contains " "\"_location.hostname.example.com\" and then fall back to traditional SRV " "discovery. If the location based discovery succeeds, the IPA servers located " "with the location based discovery are treated as primary servers and the IPA " "servers located using the traditional SRV discovery are used as back up " "servers" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:260 sssd-ad.5.xml:1240 msgid "dyndns_refresh_interval (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:263 msgid "" "How often should the back end perform periodic DNS update in addition to the " "automatic update performed when the back end goes online. This option is " "optional and applicable only when dyndns_update is true." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:276 sssd-ad.5.xml:1258 msgid "dyndns_update_ptr (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:279 sssd-ad.5.xml:1261 msgid "" "Whether the PTR record should also be explicitly updated when updating the " "client's DNS records. Applicable only when dyndns_update is true." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:284 msgid "" "This option should be False in most IPA deployments as the IPA server " "generates the PTR records automatically when forward records are changed." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:290 sssd-ad.5.xml:1266 msgid "" "Note that <emphasis>dyndns_update_per_family</emphasis> parameter does not " "apply for PTR record updates. Those updates are always sent separately." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:295 msgid "Default: False (disabled)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:301 sssd-ad.5.xml:1277 msgid "dyndns_force_tcp (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:304 sssd-ad.5.xml:1280 msgid "" "Whether the nsupdate utility should default to using TCP for communicating " "with the DNS server." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:308 sssd-ad.5.xml:1284 msgid "Default: False (let nsupdate choose the protocol)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:314 sssd-ad.5.xml:1320 msgid "dyndns_server (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:317 sssd-ad.5.xml:1323 msgid "" "The DNS server to use when performing a DNS update. In most setups, it's " "recommended to leave this option unset." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:322 sssd-ad.5.xml:1328 msgid "" "Setting this option makes sense for environments where the DNS server is " "different from the identity server." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:327 sssd-ad.5.xml:1333 msgid "" "Please note that this option will be only used in fallback attempt when " "previous attempt using autodetected settings failed." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:332 sssd-ad.5.xml:1338 msgid "Default: None (let nsupdate choose the server)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:338 sssd-ad.5.xml:1344 msgid "dyndns_update_per_family (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:341 sssd-ad.5.xml:1347 msgid "" "DNS update is by default performed in two steps - IPv4 update and then IPv6 " "update. In some cases it might be desirable to perform IPv4 and IPv6 update " "in single step." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:353 msgid "ipa_access_order (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:360 msgid "<emphasis>expire</emphasis>: use IPA's account expiration policy." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:399 msgid "" "Please note that 'access_provider = ipa' must be set for this feature to " "work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:406 msgid "ipa_deskprofile_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:409 msgid "" "Optional. Use the given string as search base for Desktop Profile related " "objects." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:413 sssd-ipa.5.xml:440 msgid "Default: Use base DN" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:419 msgid "ipa_subid_ranges_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:422 msgid "" "Optional. Use the given string as search base for subordinate ranges related " "objects." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:426 msgid "Default: the value of <emphasis>cn=subids,%basedn</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:433 msgid "ipa_hbac_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:436 msgid "Optional. Use the given string as search base for HBAC related objects." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:446 msgid "ipa_host_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:449 msgid "Deprecated. Use ldap_host_search_base instead." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:455 msgid "ipa_selinux_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:458 msgid "Optional. Use the given string as search base for SELinux user maps." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:474 msgid "ipa_subdomains_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:477 msgid "Optional. Use the given string as search base for trusted domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:486 msgid "Default: the value of <emphasis>cn=trusts,%basedn</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:493 msgid "ipa_master_domain_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:496 msgid "Optional. Use the given string as search base for master domain object." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:505 msgid "Default: the value of <emphasis>cn=ad,cn=etc,%basedn</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:512 msgid "ipa_views_search_base (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:515 msgid "Optional. Use the given string as search base for views containers." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:524 msgid "Default: the value of <emphasis>cn=views,cn=accounts,%basedn</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:534 msgid "" "The name of the Kerberos realm. This is optional and defaults to the value " "of <quote>ipa_domain</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:538 msgid "" "The name of the Kerberos realm has a special meaning in IPA - it is " "converted into the base DN to use for performing LDAP operations." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:546 sssd-ad.5.xml:1362 msgid "krb5_confd_path (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:549 sssd-ad.5.xml:1365 msgid "" "Absolute path of a directory where SSSD should place Kerberos configuration " "snippets." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:553 sssd-ad.5.xml:1369 msgid "" "To disable the creation of the configuration snippets set the parameter to " "'none'." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:557 sssd-ad.5.xml:1373 msgid "Default: not set (krb5.include.d subdirectory of SSSD's pubconf directory)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:564 msgid "ipa_deskprofile_refresh (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:567 msgid "" "The amount of time between lookups of the Desktop Profile rules against the " "IPA server. This will reduce the latency and load on the IPA server if there " "are many desktop profiles requests made in a short period." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:574 sssd-ipa.5.xml:604 sssd-ipa.5.xml:620 sssd-ad.5.xml:599 msgid "Default: 5 (seconds)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:580 msgid "ipa_deskprofile_request_interval (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:583 msgid "" "The amount of time between lookups of the Desktop Profile rules against the " "IPA server in case the last request did not return any rule." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:588 msgid "Default: 60 (minutes)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:594 msgid "ipa_hbac_refresh (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:597 msgid "" "The amount of time between lookups of the HBAC rules against the IPA " "server. This will reduce the latency and load on the IPA server if there are " "many access-control requests made in a short period." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:610 msgid "ipa_hbac_selinux (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:613 msgid "" "The amount of time between lookups of the SELinux maps against the IPA " "server. This will reduce the latency and load on the IPA server if there are " "many user login requests made in a short period." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:626 msgid "ipa_server_mode (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:629 msgid "" "This option will be set by the IPA installer (ipa-server-install) " "automatically and denotes if SSSD is running on an IPA server or not." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:634 msgid "" "On an IPA server SSSD will lookup users and groups from trusted domains " "directly while on a client it will ask an IPA server." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:639 msgid "" "NOTE: There are currently some assumptions that must be met when SSSD is " "running on an IPA server." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ipa.5.xml:644 msgid "" "The <quote>ipa_server</quote> option must be configured to point to the IPA " "server itself. This is already the default set by the IPA installer, so no " "manual change is required." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ipa.5.xml:653 msgid "" "The <quote>full_name_format</quote> option must not be tweaked to only print " "short names for users from trusted domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:668 msgid "ipa_automount_location (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:671 msgid "The automounter location this IPA client will be using" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:674 msgid "Default: The location named \"default\"" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd-ipa.5.xml:682 msgid "VIEWS AND OVERRIDES" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:691 msgid "ipa_view_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:694 msgid "Objectclass of the view container." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:697 msgid "Default: nsContainer" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:703 msgid "ipa_view_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:706 msgid "Name of the attribute holding the name of the view." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:710 sssd-ldap-attributes.5.xml:496 #: sssd-ldap-attributes.5.xml:830 sssd-ldap-attributes.5.xml:911 #: sssd-ldap-attributes.5.xml:1008 sssd-ldap-attributes.5.xml:1066 #: sssd-ldap-attributes.5.xml:1224 sssd-ldap-attributes.5.xml:1269 msgid "Default: cn" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:716 msgid "ipa_override_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:719 msgid "Objectclass of the override objects." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:722 msgid "Default: ipaOverrideAnchor" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:728 msgid "ipa_anchor_uuid (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:731 msgid "" "Name of the attribute containing the reference to the original object in a " "remote domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:735 msgid "Default: ipaAnchorUUID" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:741 msgid "ipa_user_override_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:744 msgid "" "Name of the objectclass for user overrides. It is used to determine if the " "found override object is related to a user or a group." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:749 msgid "User overrides can contain attributes given by" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ipa.5.xml:752 msgid "ldap_user_name" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ipa.5.xml:755 msgid "ldap_user_uid_number" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ipa.5.xml:758 msgid "ldap_user_gid_number" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ipa.5.xml:761 msgid "ldap_user_gecos" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ipa.5.xml:764 msgid "ldap_user_home_directory" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ipa.5.xml:767 msgid "ldap_user_shell" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ipa.5.xml:770 msgid "ldap_user_ssh_public_key" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:775 msgid "Default: ipaUserOverride" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-ipa.5.xml:781 msgid "ipa_group_override_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:784 msgid "" "Name of the objectclass for group overrides. It is used to determine if the " "found override object is related to a user or a group." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:789 msgid "Group overrides can contain attributes given by" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ipa.5.xml:792 msgid "ldap_group_name" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ipa.5.xml:795 msgid "ldap_group_gid_number" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-ipa.5.xml:800 msgid "Default: ipaGroupOverride" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd-ipa.5.xml:684 msgid "" "SSSD can handle views and overrides which are offered by FreeIPA 4.1 and " "later version. Since all paths and objectclasses are fixed on the server " "side there is basically no need to configure anything. For completeness the " "related options are listed here with their default values. <placeholder " "type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ipa.5.xml:812 msgid "SUBDOMAINS PROVIDER" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ipa.5.xml:814 msgid "" "The IPA subdomains provider behaves slightly differently if it is configured " "explicitly or implicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ipa.5.xml:818 msgid "" "If the option 'subdomains_provider = ipa' is found in the domain section of " "sssd.conf, the IPA subdomains provider is configured explicitly, and all " "subdomain requests are sent to the IPA server if necessary." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ipa.5.xml:824 msgid "" "If the option 'subdomains_provider' is not set in the domain section of " "sssd.conf but there is the option 'id_provider = ipa', the IPA subdomains " "provider is configured implicitly. In this case, if a subdomain request " "fails and indicates that the server does not support subdomains, i.e. is not " "configured for trusts, the IPA subdomains provider is disabled. After an " "hour or after the IPA provider goes online, the subdomains provider is " "enabled again." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ipa.5.xml:835 msgid "TRUSTED DOMAINS CONFIGURATION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-ipa.5.xml:843 #, no-wrap msgid "" "[domain/ipa.domain.com/ad.domain.com]\n" "ad_server = dc.ad.domain.com\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ipa.5.xml:837 msgid "" "Some configuration options can also be set for a trusted domain. A trusted " "domain configuration can be set using the trusted domain subsection as shown " "in the example below. Alternatively, the <quote>subdomain_inherit</quote> " "option can be used in the parent domain. <placeholder " "type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ipa.5.xml:848 msgid "" "For more details, see the <citerefentry> " "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ipa.5.xml:855 msgid "" "Different configuration options are tunable for a trusted domain depending " "on whether you are configuring SSSD on an IPA server or an IPA client." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd-ipa.5.xml:860 msgid "OPTIONS TUNABLE ON IPA MASTERS" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd-ipa.5.xml:862 msgid "The following options can be set in a subdomain section on an IPA master:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> #: sssd-ipa.5.xml:866 sssd-ipa.5.xml:896 msgid "ad_server" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> #: sssd-ipa.5.xml:869 msgid "ad_backup_server" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> #: sssd-ipa.5.xml:872 sssd-ipa.5.xml:899 msgid "ad_site" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> #: sssd-ipa.5.xml:875 msgid "ldap_search_base" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> #: sssd-ipa.5.xml:878 msgid "ldap_user_search_base" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> #: sssd-ipa.5.xml:881 msgid "ldap_group_search_base" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd-ipa.5.xml:890 msgid "OPTIONS TUNABLE ON IPA CLIENTS" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd-ipa.5.xml:892 msgid "The following options can be set in a subdomain section on an IPA client:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd-ipa.5.xml:904 msgid "" "Note that if both options are set, only <quote>ad_server</quote> is " "evaluated." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd-ipa.5.xml:908 msgid "" "Since any request for a user or a group identity from a trusted domain " "triggered from an IPA client is resolved by the IPA server, the " "<quote>ad_server</quote> and <quote>ad_site</quote> options only affect " "which AD DC will the authentication be performed against. In particular, the " "addresses resolved from these lists will be written to " "<quote>kdcinfo</quote> files read by the Kerberos locator plugin. Please " "refer to the <citerefentry> " "<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " "<manvolnum>8</manvolnum> </citerefentry> manual page for more details on the " "Kerberos locator plugin." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ipa.5.xml:932 msgid "" "The following example assumes that SSSD is correctly configured and " "example.com is one of the domains in the <replaceable>[sssd]</replaceable> " "section. This examples shows only the ipa provider-specific options." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-ipa.5.xml:939 #, no-wrap msgid "" "[domain/example.com]\n" "id_provider = ipa\n" "ipa_server = ipaserver.example.com\n" "ipa_hostname = myhost.example.com\n" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssd-ad.5.xml:10 sssd-ad.5.xml:16 msgid "sssd-ad" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sssd-ad.5.xml:17 msgid "SSSD Active Directory provider" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ad.5.xml:23 msgid "" "This manual page describes the configuration of the AD provider for " "<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " "</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " "FORMAT</quote> section of the <citerefentry> " "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ad.5.xml:36 msgid "" "The AD provider is a back end used to connect to an Active Directory " "server. This provider requires that the machine be joined to the AD domain " "and a keytab is available. Back end communication occurs over a " "GSSAPI-encrypted channel, SSL/TLS options should not be used with the AD " "provider and will be superseded by Kerberos usage." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ad.5.xml:44 msgid "" "The AD provider supports connecting to Active Directory 2008 R2 or " "later. Earlier versions may work, but are unsupported." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ad.5.xml:48 msgid "" "The AD provider can be used to get user information and authenticate users " "from trusted domains. Currently only trusted domains in the same forest are " "recognized. In addition servers from trusted domains are always " "auto-discovered." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ad.5.xml:54 msgid "" "The AD provider enables SSSD to use the <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry> identity provider and the <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry> authentication provider with optimizations for Active " "Directory environments. The AD provider accepts the same options used by the " "sssd-ldap and sssd-krb5 providers with some exceptions. However, it is " "neither necessary nor recommended to set these options." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ad.5.xml:69 msgid "" "The AD provider primarily copies the traditional ldap and krb5 provider " "default options with some exceptions, the differences are listed in the " "<quote>MODIFIED DEFAULT OPTIONS</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ad.5.xml:74 msgid "" "The AD provider can also be used as an access, chpass, sudo and autofs " "provider. No configuration of the access provider is required on the client " "side." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ad.5.xml:79 msgid "" "If <quote>auth_provider=ad</quote> or <quote>access_provider=ad</quote> is " "configured in sssd.conf then the id_provider must also be set to " "<quote>ad</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-ad.5.xml:91 #, no-wrap msgid "" "ldap_id_mapping = False\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ad.5.xml:85 msgid "" "By default, the AD provider will map UID and GID values from the objectSID " "parameter in Active Directory. For details on this, see the <quote>ID " "MAPPING</quote> section below. If you want to disable ID mapping and instead " "rely on POSIX attributes defined in Active Directory, you should set " "<placeholder type=\"programlisting\" id=\"0\"/> If POSIX attributes should " "be used, it is recommended for performance reasons that the attributes are " "also replicated to the Global Catalog. If POSIX attributes are replicated, " "SSSD will attempt to locate the domain of a requested numerical ID with the " "help of the Global Catalog and only search that domain. In contrast, if " "POSIX attributes are not replicated to the Global Catalog, SSSD must search " "all the domains in the forest sequentially. Please note that the " "<quote>cache_first</quote> option might be also helpful in speeding up " "domainless searches. Note that if only a subset of POSIX attributes is " "present in the Global Catalog, the non-replicated attributes are currently " "not read from the LDAP port." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ad.5.xml:108 msgid "" "Users, groups and other entities served by SSSD are always treated as " "case-insensitive in the AD provider for compatibility with Active " "Directory's LDAP implementation." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ad.5.xml:113 msgid "" "SSSD only resolves Active Directory Security Groups. For more information " "about AD group types see: <ulink " "url=\"https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups\"> " "Active Directory security groups</ulink>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ad.5.xml:120 msgid "" "SSSD filters out Domain Local groups from remote domains in the AD " "forest. By default they are filtered out e.g. when following a nested group " "hierarchy in remote domains because they are not valid in the local " "domain. This is done to be in agreement with Active Directory's " "group-membership assignment which can be seen in the PAC of the Kerberos " "ticket of a user issued by Active Directory." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:138 msgid "ad_domain (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:141 msgid "" "Specifies the name of the Active Directory domain. This is optional. If not " "provided, the configuration domain name is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:146 msgid "" "For proper operation, this option should be specified as the lower-case " "version of the long version of the Active Directory domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:151 msgid "" "The short domain name (also known as the NetBIOS or the flat name) is " "autodetected by the SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:158 msgid "ad_enabled_domains (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:161 msgid "" "A comma-separated list of enabled Active Directory domains. If provided, " "SSSD will ignore any domains not listed in this option. If left unset, all " "discovered domains from the AD forest will be available." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:168 msgid "" "During the discovery of the domains SSSD will filter out some domains where " "flags or attributes indicate that they do not belong to the local forest or " "are not trusted. If ad_enabled_domains is set, SSSD will try to enable all " "listed domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> #: sssd-ad.5.xml:179 #, no-wrap msgid "" "ad_enabled_domains = sales.example.com, eng.example.com\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:175 msgid "" "For proper operation, this option must be specified in all lower-case and as " "the fully qualified domain name of the Active Directory domain. For example: " "<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:183 msgid "" "The short domain name (also known as the NetBIOS or the flat name) will be " "autodetected by SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:193 msgid "ad_server, ad_backup_server (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:196 msgid "" "The comma-separated list of hostnames of the AD servers to which SSSD should " "connect in order of preference. For more information on failover and server " "redundancy, see the <quote>FAILOVER</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:203 msgid "" "This is optional if autodiscovery is enabled. For more information on " "service discovery, refer to the <quote>SERVICE DISCOVERY</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:208 msgid "" "Note: Trusted domains will always auto-discover servers even if the primary " "server is explicitly defined in the ad_server option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:216 msgid "ad_hostname (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:219 msgid "" "Optional. On machines where the hostname(5) does not reflect the fully " "qualified name, sssd will try to expand the short name. If it is not " "possible or the short name should be really used instead, set this parameter " "explicitly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:226 msgid "" "This field is used to determine the host principal in use in the keytab and " "to perform dynamic DNS updates. It must match the hostname for which the " "keytab was issued." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:235 msgid "ad_enable_dns_sites (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:242 msgid "" "If true and service discovery (see Service Discovery paragraph at the bottom " "of the man page) is enabled, the SSSD will first attempt to discover the " "Active Directory server to connect to using the Active Directory Site " "Discovery and fall back to the DNS SRV records if no AD site is found. The " "DNS SRV configuration, including the discovery domain, is used during site " "discovery as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:258 msgid "ad_access_filter (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:261 msgid "" "This option specifies LDAP access control filter that the user must match in " "order to be allowed access. Please note that the " "<quote>access_provider</quote> option must be explicitly set to " "<quote>ad</quote> in order for this option to have an effect." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:269 msgid "" "The option also supports specifying different filters per domain or " "forest. This extended filter would consist of: " "<quote>KEYWORD:NAME:FILTER</quote>. The keyword can be either " "<quote>DOM</quote>, <quote>FOREST</quote> or missing." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:277 msgid "" "If the keyword equals to <quote>DOM</quote> or is missing, then " "<quote>NAME</quote> specifies the domain or subdomain the filter applies " "to. If the keyword equals to <quote>FOREST</quote>, then the filter equals " "to all domains from the forest specified by <quote>NAME</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:285 msgid "" "Multiple filters can be separated with the <quote>?</quote> character, " "similarly to how search bases work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:290 msgid "" "Nested group membership must be searched for using a special OID " "<quote>:1.2.840.113556.1.4.1941:</quote> in addition to the full " "DOM:domain.example.org: syntax to ensure the parser does not attempt to " "interpret the colon characters associated with the OID. If you do not use " "this OID then nested group membership will not be resolved. See usage " "example below and refer here for further information about the OID: <ulink " "url=\"https://msdn.microsoft.com/en-us/library/cc223367.aspx\"> [MS-ADTS] " "section LDAP extensions</ulink>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:303 msgid "" "The most specific match is always used. For example, if the option specified " "filter for a domain the user is a member of and a global filter, the " "per-domain filter would be applied. If there are more matches with the same " "specification, the first one is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><programlisting> #: sssd-ad.5.xml:314 #, no-wrap msgid "" "# apply filter on domain called dom1 only:\n" "dom1:(memberOf=cn=admins,ou=groups,dc=dom1,dc=com)\n" "\n" "# apply filter on domain called dom2 only:\n" "DOM:dom2:(memberOf=cn=admins,ou=groups,dc=dom2,dc=com)\n" "\n" "# apply filter on forest called EXAMPLE.COM only:\n" "FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com)\n" "\n" "# apply filter for a member of a nested group in dom1:\n" "DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,dc=com)\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:333 msgid "ad_site (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:336 msgid "" "Specify AD site to which client should try to connect. If this option is " "not provided, the AD site will be auto-discovered." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:347 msgid "ad_enable_gc (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:350 msgid "" "By default, the SSSD connects to the Global Catalog first to retrieve users " "from trusted domains and uses the LDAP port to retrieve group memberships or " "as a fallback. Disabling this option makes the SSSD only connect to the LDAP " "port of the current AD server." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:358 msgid "" "Please note that disabling Global Catalog support does not disable " "retrieving users from trusted domains. The SSSD would connect to the LDAP " "port of trusted domains instead. However, Global Catalog must be used in " "order to resolve cross-domain group memberships." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:372 msgid "ad_gpo_access_control (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:375 msgid "" "This option specifies the operation mode for GPO-based access control " "functionality: whether it operates in disabled mode, enforcing mode, or " "permissive mode. Please note that the <quote>access_provider</quote> option " "must be explicitly set to <quote>ad</quote> in order for this option to have " "an effect." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:384 msgid "" "GPO-based access control functionality uses GPO policy settings to determine " "whether or not a particular user is allowed to logon to the host. For more " "information on the supported policy settings please refer to the " "<quote>ad_gpo_map</quote> options." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:392 msgid "" "Please note that current version of SSSD does not support Active Directory's " "built-in groups. Built-in groups (such as Administrators with SID " "S-1-5-32-544) in GPO access control rules will be ignored by SSSD. See " "upstream issue tracker https://github.com/SSSD/sssd/issues/5063 ." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:401 msgid "" "Before performing access control SSSD applies group policy security " "filtering on the GPOs. For every single user login, the applicability of the " "GPOs that are linked to the host is checked. In order for a GPO to apply to " "a user, the user or at least one of the groups to which it belongs must have " "following permissions on the GPO:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:411 msgid "" "Read: The user or one of its groups must have read access to the properties " "of the GPO (RIGHT_DS_READ_PROPERTY)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:418 msgid "" "Apply Group Policy: The user or at least one of its groups must be allowed " "to apply the GPO (RIGHT_DS_CONTROL_ACCESS)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:426 msgid "" "By default, the Authenticated Users group is present on a GPO and this group " "has both Read and Apply Group Policy access rights. Since authentication of " "a user must have been completed successfully before GPO security filtering " "and access control are started, the Authenticated Users group permissions on " "the GPO always apply also to the user." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:435 msgid "" "NOTE: If the operation mode is set to enforcing, it is possible that users " "that were previously allowed logon access will now be denied logon access " "(as dictated by the GPO policy settings). In order to facilitate a smooth " "transition for administrators, a permissive mode is available that will not " "enforce the access control rules, but will evaluate them and will output a " "syslog message if access would have been denied. By examining the logs, " "administrators can then make the necessary changes before setting the mode " "to enforcing. For logging GPO-based access control debug level 'trace " "functions' is required (see <citerefentry> " "<refentrytitle>sssctl</refentrytitle> <manvolnum>8</manvolnum> " "</citerefentry> manual page)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:454 msgid "There are three supported values for this option:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:458 msgid "disabled: GPO-based access control rules are neither evaluated nor enforced." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:464 msgid "enforcing: GPO-based access control rules are evaluated and enforced." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:470 msgid "" "permissive: GPO-based access control rules are evaluated, but not enforced. " "Instead, a syslog message will be emitted indicating that the user would " "have been denied access if this option's value were set to enforcing." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:481 msgid "Default: permissive" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:484 msgid "Default: enforcing" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:490 msgid "ad_gpo_implicit_deny (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:493 msgid "" "Normally when no applicable GPOs are found the users are allowed " "access. When this option is set to True users will be allowed access only " "when explicitly allowed by a GPO rule. Otherwise users will be denied " "access. This can be used to harden security but be careful when using this " "option because it can deny access even to users in the built-in " "Administrators group if no GPO rules apply to them." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:509 msgid "" "The following 2 tables should illustrate when a user is allowed or rejected " "based on the allow and deny login rights defined on the server-side and the " "setting of ad_gpo_implicit_deny." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry> #: sssd-ad.5.xml:521 msgid "ad_gpo_implicit_deny = False (default)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry> #: sssd-ad.5.xml:522 sssd-ad.5.xml:548 msgid "allow-rules" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry> #: sssd-ad.5.xml:522 sssd-ad.5.xml:548 msgid "deny-rules" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry> #: sssd-ad.5.xml:523 sssd-ad.5.xml:549 msgid "results" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry> #: sssd-ad.5.xml:526 sssd-ad.5.xml:529 sssd-ad.5.xml:532 sssd-ad.5.xml:552 #: sssd-ad.5.xml:555 sssd-ad.5.xml:558 msgid "missing" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para> #: sssd-ad.5.xml:527 msgid "all users are allowed" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry> #: sssd-ad.5.xml:529 sssd-ad.5.xml:532 sssd-ad.5.xml:535 sssd-ad.5.xml:555 #: sssd-ad.5.xml:558 sssd-ad.5.xml:561 msgid "present" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para> #: sssd-ad.5.xml:530 msgid "only users not in deny-rules are allowed" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para> #: sssd-ad.5.xml:533 sssd-ad.5.xml:559 msgid "only users in allow-rules are allowed" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para> #: sssd-ad.5.xml:536 sssd-ad.5.xml:562 msgid "only users in allow-rules and not in deny-rules are allowed" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><thead><row><entry> #: sssd-ad.5.xml:547 msgid "ad_gpo_implicit_deny = True" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><informaltable><tgroup><tbody><row><entry><para> #: sssd-ad.5.xml:553 sssd-ad.5.xml:556 msgid "no users are allowed" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:569 msgid "ad_gpo_ignore_unreadable (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:572 msgid "" "Normally when some group policy containers (AD object) of applicable group " "policy objects are not readable by SSSD then users are denied access. This " "option allows to ignore group policy containers and with them associated " "policies if their attributes in group policy containers are not readable for " "SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:589 msgid "ad_gpo_cache_timeout (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:592 msgid "" "The amount of time between lookups of GPO policy files against the AD " "server. This will reduce the latency and load on the AD server if there are " "many access-control requests made in a short period." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:605 msgid "ad_gpo_map_interactive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:608 msgid "" "A comma-separated list of PAM service names for which GPO-based access " "control is evaluated based on the InteractiveLogonRight and " "DenyInteractiveLogonRight policy settings. Only those GPOs are evaluated " "for which the user has Read and Apply Group Policy permission (see option " "<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " "deny interactive logon setting for the user or one of its groups, the user " "is denied local access. If none of the evaluated GPOs has an interactive " "logon right defined, the user is granted local access. If at least one " "evaluated GPO contains interactive logon right settings, the user is granted " "local access only, if it or at least one of its groups is part of the policy " "settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:626 msgid "" "Note: Using the Group Policy Management Editor this value is called \"Allow " "log on locally\" and \"Deny log on locally\"." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> #: sssd-ad.5.xml:640 #, no-wrap msgid "" "ad_gpo_map_interactive = +my_pam_service, -login\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:631 msgid "" "It is possible to add another PAM service name to the default set by using " "<quote>+service_name</quote> or to explicitly remove a PAM service name from " "the default set by using <quote>-service_name</quote>. For example, in " "order to replace a default PAM service name for this logon right " "(e.g. <quote>login</quote>) with a custom pam service name " "(e.g. <quote>my_pam_service</quote>), you would use the following " "configuration: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:663 msgid "gdm-fingerprint" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:683 msgid "lightdm" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:688 msgid "lxdm" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:693 msgid "sddm" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:698 msgid "unity" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:703 msgid "xdm" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:712 msgid "ad_gpo_map_remote_interactive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:715 msgid "" "A comma-separated list of PAM service names for which GPO-based access " "control is evaluated based on the RemoteInteractiveLogonRight and " "DenyRemoteInteractiveLogonRight policy settings. Only those GPOs are " "evaluated for which the user has Read and Apply Group Policy permission (see " "option <quote>ad_gpo_access_control</quote>). If an evaluated GPO contains " "the deny remote logon setting for the user or one of its groups, the user is " "denied remote interactive access. If none of the evaluated GPOs has a " "remote interactive logon right defined, the user is granted remote " "access. If at least one evaluated GPO contains remote interactive logon " "right settings, the user is granted remote access only, if it or at least " "one of its groups is part of the policy settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:734 msgid "" "Note: Using the Group Policy Management Editor this value is called \"Allow " "log on through Remote Desktop Services\" and \"Deny log on through Remote " "Desktop Services\"." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> #: sssd-ad.5.xml:749 #, no-wrap msgid "" "ad_gpo_map_remote_interactive = +my_pam_service, -sshd\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:740 msgid "" "It is possible to add another PAM service name to the default set by using " "<quote>+service_name</quote> or to explicitly remove a PAM service name from " "the default set by using <quote>-service_name</quote>. For example, in " "order to replace a default PAM service name for this logon right " "(e.g. <quote>sshd</quote>) with a custom pam service name " "(e.g. <quote>my_pam_service</quote>), you would use the following " "configuration: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:757 msgid "sshd" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:762 msgid "cockpit" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:771 msgid "ad_gpo_map_network (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:774 msgid "" "A comma-separated list of PAM service names for which GPO-based access " "control is evaluated based on the NetworkLogonRight and " "DenyNetworkLogonRight policy settings. Only those GPOs are evaluated for " "which the user has Read and Apply Group Policy permission (see option " "<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " "deny network logon setting for the user or one of its groups, the user is " "denied network logon access. If none of the evaluated GPOs has a network " "logon right defined, the user is granted logon access. If at least one " "evaluated GPO contains network logon right settings, the user is granted " "logon access only, if it or at least one of its groups is part of the policy " "settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:792 msgid "" "Note: Using the Group Policy Management Editor this value is called \"Access " "this computer from the network\" and \"Deny access to this computer from the " "network\"." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> #: sssd-ad.5.xml:807 #, no-wrap msgid "" "ad_gpo_map_network = +my_pam_service, -ftp\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:798 msgid "" "It is possible to add another PAM service name to the default set by using " "<quote>+service_name</quote> or to explicitly remove a PAM service name from " "the default set by using <quote>-service_name</quote>. For example, in " "order to replace a default PAM service name for this logon right " "(e.g. <quote>ftp</quote>) with a custom pam service name " "(e.g. <quote>my_pam_service</quote>), you would use the following " "configuration: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:815 msgid "ftp" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:820 msgid "samba" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:829 msgid "ad_gpo_map_batch (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:832 msgid "" "A comma-separated list of PAM service names for which GPO-based access " "control is evaluated based on the BatchLogonRight and DenyBatchLogonRight " "policy settings. Only those GPOs are evaluated for which the user has Read " "and Apply Group Policy permission (see option " "<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " "deny batch logon setting for the user or one of its groups, the user is " "denied batch logon access. If none of the evaluated GPOs has a batch logon " "right defined, the user is granted logon access. If at least one evaluated " "GPO contains batch logon right settings, the user is granted logon access " "only, if it or at least one of its groups is part of the policy settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:850 msgid "" "Note: Using the Group Policy Management Editor this value is called \"Allow " "log on as a batch job\" and \"Deny log on as a batch job\"." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> #: sssd-ad.5.xml:864 #, no-wrap msgid "" "ad_gpo_map_batch = +my_pam_service, -crond\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:855 msgid "" "It is possible to add another PAM service name to the default set by using " "<quote>+service_name</quote> or to explicitly remove a PAM service name from " "the default set by using <quote>-service_name</quote>. For example, in " "order to replace a default PAM service name for this logon right " "(e.g. <quote>crond</quote>) with a custom pam service name " "(e.g. <quote>my_pam_service</quote>), you would use the following " "configuration: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:867 msgid "Note: Cron service name may differ depending on Linux distribution used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:873 msgid "crond" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:882 msgid "ad_gpo_map_service (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:885 msgid "" "A comma-separated list of PAM service names for which GPO-based access " "control is evaluated based on the ServiceLogonRight and " "DenyServiceLogonRight policy settings. Only those GPOs are evaluated for " "which the user has Read and Apply Group Policy permission (see option " "<quote>ad_gpo_access_control</quote>). If an evaluated GPO contains the " "deny service logon setting for the user or one of its groups, the user is " "denied service logon access. If none of the evaluated GPOs has a service " "logon right defined, the user is granted logon access. If at least one " "evaluated GPO contains service logon right settings, the user is granted " "logon access only, if it or at least one of its groups is part of the policy " "settings." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:903 msgid "" "Note: Using the Group Policy Management Editor this value is called \"Allow " "log on as a service\" and \"Deny log on as a service\"." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> #: sssd-ad.5.xml:916 #, no-wrap msgid "" "ad_gpo_map_service = +my_pam_service\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:908 sssd-ad.5.xml:983 msgid "" "It is possible to add a PAM service name to the default set by using " "<quote>+service_name</quote>. Since the default set is empty, it is not " "possible to remove a PAM service name from the default set. For example, in " "order to add a custom pam service name (e.g. <quote>my_pam_service</quote>), " "you would use the following configuration: <placeholder " "type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:926 msgid "ad_gpo_map_permit (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:929 msgid "" "A comma-separated list of PAM service names for which GPO-based access is " "always granted, regardless of any GPO Logon Rights." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> #: sssd-ad.5.xml:943 #, no-wrap msgid "" "ad_gpo_map_permit = +my_pam_service, -sudo\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:934 msgid "" "It is possible to add another PAM service name to the default set by using " "<quote>+service_name</quote> or to explicitly remove a PAM service name from " "the default set by using <quote>-service_name</quote>. For example, in " "order to replace a default PAM service name for unconditionally permitted " "access (e.g. <quote>sudo</quote>) with a custom pam service name " "(e.g. <quote>my_pam_service</quote>), you would use the following " "configuration: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:951 msgid "polkit-1" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:966 msgid "systemd-user" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:975 msgid "ad_gpo_map_deny (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:978 msgid "" "A comma-separated list of PAM service names for which GPO-based access is " "always denied, regardless of any GPO Logon Rights." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> #: sssd-ad.5.xml:991 #, no-wrap msgid "" "ad_gpo_map_deny = +my_pam_service\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:1001 msgid "ad_gpo_default_right (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:1004 msgid "" "This option defines how access control is evaluated for PAM service names " "that are not explicitly listed in one of the ad_gpo_map_* options. This " "option can be set in two different manners. First, this option can be set to " "use a default logon right. For example, if this option is set to " "'interactive', it means that unmapped PAM service names will be processed " "based on the InteractiveLogonRight and DenyInteractiveLogonRight policy " "settings. Alternatively, this option can be set to either always permit or " "always deny access for unmapped PAM service names." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:1017 msgid "Supported values for this option include:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:1026 msgid "remote_interactive" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:1031 msgid "network" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:1036 msgid "batch" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:1041 msgid "service" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:1046 msgid "permit" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><itemizedlist><listitem><para> #: sssd-ad.5.xml:1051 msgid "deny" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:1057 msgid "Default: deny" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:1063 msgid "ad_maximum_machine_account_password_age (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:1066 msgid "" "SSSD will check once a day if the machine account password is older than the " "given age in days and try to renew it. A value of 0 will disable the renewal " "attempt." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:1072 msgid "Default: 30 days" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:1078 msgid "ad_machine_account_password_renewal_opts (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:1081 msgid "" "This option should only be used to test the machine account renewal " "task. The option expects 2 integers separated by a colon (':'). The first " "integer defines the interval in seconds how often the task is run. The " "second specifies the initial timeout in seconds before the task is run for " "the first time after startup." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:1090 msgid "Default: 86400:750 (24h and 15m)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:1096 msgid "ad_update_samba_machine_account_password (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:1099 msgid "" "If enabled, when SSSD renews the machine account password, it will also be " "updated in Samba's database. This prevents Samba's copy of the machine " "account password from getting out of date when it is set up to use AD for " "authentication." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:1112 msgid "ad_use_ldaps (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:1115 msgid "" "By default SSSD uses the plain LDAP port 389 and the Global Catalog port " "3628. If this option is set to True SSSD will use the LDAPS port 636 and " "Global Catalog port 3629 with LDAPS protection. Since AD does not allow to " "have multiple encryption layers on a single connection and we still want to " "use SASL/GSSAPI or SASL/GSS-SPNEGO for authentication the SASL security " "property maxssf is set to 0 (zero) for those connections." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ad.5.xml:1132 msgid "ad_allow_remote_domain_local_groups (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:1135 msgid "" "If this option is set to <quote>true</quote> SSSD will not filter out Domain " "Local groups from remote domains in the AD forest. By default they are " "filtered out e.g. when following a nested group hierarchy in remote domains " "because they are not valid in the local domain. To be compatible with other " "solutions which make AD users and groups available on Linux client this " "option was added." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:1145 msgid "" "Please note that setting this option to <quote>true</quote> will be against " "the intention of Domain Local group in Active Directory and <emphasis>SHOULD " "ONLY BE USED TO FACILITATE MIGRATION FROM OTHER " "SOLUTIONS</emphasis>. Although the group exists and user can be member of " "the group the intention is that the group should be only used in the domain " "it is defined and in no others. Since there is only one type of POSIX groups " "the only way to achieve this on the Linux side is to ignore those " "groups. This is also done by Active Directory as can be seen in the PAC of " "the Kerberos ticket for a local service or in tokenGroups requests where " "remote Domain Local groups are missing as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:1161 msgid "" "Given the comments above, if this option is set to <quote>true</quote> the " "tokenGroups request must be disabled by setting " "<quote>ldap_use_tokengroups</quote> to <quote>false</quote> to get " "consistent group-memberships of a users. Additionally the Global Catalog " "lookup should be skipped as well by setting <quote>ad_enable_gc</quote> to " "<quote>false</quote>. Finally it might be necessary to modify " "<quote>ldap_group_nesting_level</quote> if the remote Domain Local groups " "can only be found with a deeper nesting level." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:1184 msgid "" "Optional. This option tells SSSD to automatically update the Active " "Directory DNS server with the IP address of this client. The update is " "secured using GSS-TSIG. As a consequence, the Active Directory administrator " "only needs to allow secure updates for the DNS zone. The IP address of the " "AD LDAP connection is used for the updates, if it is not otherwise specified " "by using the <quote>dyndns_iface</quote> option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:1214 msgid "Default: 3600 (seconds)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:1230 msgid "" "Default: Use the IP addresses of the interface which is used for AD LDAP " "connection" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ad.5.xml:1243 msgid "" "How often should the back end perform periodic DNS update in addition to the " "automatic update performed when the back end goes online. This option is " "optional and applicable only when dyndns_update is true. Note that the " "lowest possible value is 60 seconds in-case if value is provided less than " "60, parameter will assume lowest value only." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ad.5.xml:1393 msgid "" "The following example assumes that SSSD is correctly configured and " "example.com is one of the domains in the <replaceable>[sssd]</replaceable> " "section. This example shows only the AD provider-specific options." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-ad.5.xml:1400 #, no-wrap msgid "" "[domain/EXAMPLE]\n" "id_provider = ad\n" "auth_provider = ad\n" "access_provider = ad\n" "chpass_provider = ad\n" "\n" "ad_server = dc1.example.com\n" "ad_hostname = client.example.com\n" "ad_domain = example.com\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-ad.5.xml:1420 #, no-wrap msgid "" "access_provider = ldap\n" "ldap_access_order = expire\n" "ldap_account_expire_policy = ad\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ad.5.xml:1416 msgid "" "The AD access control provider checks if the account is expired. It has the " "same effect as the following configuration of the LDAP provider: " "<placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ad.5.xml:1426 msgid "" "However, unless the <quote>ad</quote> access control provider is explicitly " "configured, the default access provider is <quote>permit</quote>. Please " "note that if you configure an access provider other than <quote>ad</quote>, " "you need to set all the connection parameters (such as LDAP URIs and " "encryption details) manually." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ad.5.xml:1434 msgid "" "When the autofs provider is set to <quote>ad</quote>, the RFC2307 schema " "attribute mapping (nisMap, nisObject, ...) is used, because these attributes " "are included in the default Active Directory schema." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssd-sudo.5.xml:10 sssd-sudo.5.xml:16 msgid "sssd-sudo" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sssd-sudo.5.xml:17 msgid "Configuring sudo with the SSSD back end" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:23 msgid "" "This manual page describes how to configure <citerefentry> " "<refentrytitle>sudo</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " "to work with <citerefentry> <refentrytitle>sssd</refentrytitle> " "<manvolnum>8</manvolnum> </citerefentry> and how SSSD caches sudo rules." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-sudo.5.xml:36 msgid "Configuring sudo to cooperate with SSSD" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:38 msgid "" "To enable SSSD as a source for sudo rules, add <emphasis>sss</emphasis> to " "the <emphasis>sudoers</emphasis> entry in <citerefentry> " "<refentrytitle>nsswitch.conf</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:47 msgid "" "For example, to configure sudo to first lookup rules in the standard " "<citerefentry> <refentrytitle>sudoers</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry> file (which should contain rules " "that apply to local users) and then in SSSD, the nsswitch.conf file should " "contain the following line:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-sudo.5.xml:57 #, no-wrap msgid "sudoers: files sss\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:61 msgid "" "More information about configuring the sudoers search order from the " "nsswitch.conf file as well as information about the LDAP schema that is used " "to store sudo rules in the directory can be found in <citerefentry> " "<refentrytitle>sudoers.ldap</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:70 msgid "" "<emphasis>Note</emphasis>: in order to use netgroups or IPA hostgroups in " "sudo rules, you also need to correctly set <citerefentry> " "<refentrytitle>nisdomainname</refentrytitle> <manvolnum>1</manvolnum> " "</citerefentry> to your NIS domain name (which equals to IPA domain name " "when using hostgroups)." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-sudo.5.xml:82 msgid "Configuring SSSD to fetch sudo rules" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:84 msgid "" "All configuration that is needed on SSSD side is to extend the list of " "<emphasis>services</emphasis> with \"sudo\" in [sssd] section of " "<citerefentry> <refentrytitle>sssd.conf</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry>. To speed up the LDAP lookups, you " "can also set search base for sudo rules using " "<emphasis>ldap_sudo_search_base</emphasis> option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:94 msgid "" "The following example shows how to configure SSSD to download sudo rules " "from an LDAP server." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-sudo.5.xml:99 #, no-wrap msgid "" "[sssd]\n" "config_file_version = 2\n" "services = nss, pam, sudo\n" "domains = EXAMPLE\n" "\n" "[domain/EXAMPLE]\n" "id_provider = ldap\n" "sudo_provider = ldap\n" "ldap_uri = ldap://example.com\n" "ldap_sudo_search_base = ou=sudoers,dc=example,dc=com\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:98 msgid "" "<placeholder type=\"programlisting\" id=\"0\"/> <phrase " "condition=\"have_systemd\"> It's important to note that on platforms where " "systemd is supported there's no need to add the \"sudo\" provider to the " "list of services, as it became optional. However, sssd-sudo.socket must be " "enabled instead. </phrase>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:118 msgid "" "When SSSD is configured to use IPA as the ID provider, the sudo provider is " "automatically enabled. The sudo search base is configured to use the IPA " "native LDAP tree (cn=sudo,$SUFFIX). If any other search base is defined in " "sssd.conf, this value will be used instead. The compat tree " "(ou=sudoers,$SUFFIX) is no longer required for IPA sudo functionality." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-sudo.5.xml:128 msgid "The SUDO rule caching mechanism" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:130 msgid "" "The biggest challenge, when developing sudo support in SSSD, was to ensure " "that running sudo with SSSD as the data source provides the same user " "experience and is as fast as sudo but keeps providing the most current set " "of rules as possible. To satisfy these requirements, SSSD uses three kinds " "of updates. They are referred to as full refresh, smart refresh and rules " "refresh." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:138 msgid "" "The <emphasis>smart refresh</emphasis> periodically downloads rules that are " "new or were modified after the last update. Its primary goal is to keep the " "database growing by fetching only small increments that do not generate " "large amounts of network traffic." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:144 msgid "" "The <emphasis>full refresh</emphasis> simply deletes all sudo rules stored " "in the cache and replaces them with all rules that are stored on the " "server. This is used to keep the cache consistent by removing every rule " "which was deleted from the server. However, full refresh may produce a lot " "of traffic and thus it should be run only occasionally depending on the size " "and stability of the sudo rules." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:152 msgid "" "The <emphasis>rules refresh</emphasis> ensures that we do not grant the user " "more permission than defined. It is triggered each time the user runs " "sudo. Rules refresh will find all rules that apply to this user, check their " "expiration time and redownload them if expired. In the case that any of " "these rules are missing on the server, the SSSD will do an out of band full " "refresh because more rules (that apply to other users) may have been " "deleted." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:161 msgid "" "If enabled, SSSD will store only rules that can be applied to this " "machine. This means rules that contain one of the following values in " "<emphasis>sudoHost</emphasis> attribute:" msgstr "" #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> #: sssd-sudo.5.xml:168 msgid "keyword ALL" msgstr "" #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> #: sssd-sudo.5.xml:173 msgid "wildcard" msgstr "" #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> #: sssd-sudo.5.xml:178 msgid "netgroup (in the form \"+netgroup\")" msgstr "" #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> #: sssd-sudo.5.xml:183 msgid "hostname or fully qualified domain name of this machine" msgstr "" #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> #: sssd-sudo.5.xml:188 msgid "one of the IP addresses of this machine" msgstr "" #. type: Content of: <reference><refentry><refsect1><itemizedlist><listitem><para> #: sssd-sudo.5.xml:193 msgid "one of the IP addresses of the network (in the form \"address/mask\")" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:199 msgid "" "There are many configuration options that can be used to adjust the " "behavior. Please refer to \"ldap_sudo_*\" in <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry> and \"sudo_*\" in <citerefentry> " "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-sudo.5.xml:213 msgid "Tuning the performance" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:215 msgid "" "SSSD uses different kinds of mechanisms with more or less complex LDAP " "filters to keep the cached sudo rules up to date. The default configuration " "is set to values that should satisfy most of our users, but the following " "paragraphs contain few tips on how to fine- tune the configuration to your " "requirements." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:222 msgid "" "1. <emphasis>Index LDAP attributes</emphasis>. Make sure that following LDAP " "attributes are indexed: objectClass, cn, entryUSN or modifyTimestamp." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:227 msgid "" "2. <emphasis>Set ldap_sudo_search_base</emphasis>. Set the search base to " "the container that holds the sudo rules to limit the scope of the lookup." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:232 msgid "" "3. <emphasis>Set full and smart refresh interval</emphasis>. If your sudo " "rules do not change often and you do not require quick update of cached " "rules on your clients, you may consider increasing the " "<emphasis>ldap_sudo_full_refresh_interval</emphasis> and " "<emphasis>ldap_sudo_smart_refresh_interval</emphasis>. You may also consider " "disabling the smart refresh by setting " "<emphasis>ldap_sudo_smart_refresh_interval = 0</emphasis>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-sudo.5.xml:241 msgid "" "4. If you have large number of clients, you may consider increasing the " "value of <emphasis>ldap_sudo_random_offset</emphasis> to distribute the load " "on the server better." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssd.8.xml:10 sssd.8.xml:15 msgid "sssd" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sssd.8.xml:16 msgid "System Security Services Daemon" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> #: sssd.8.xml:21 msgid "" "<command>sssd</command> <arg choice='opt'> " "<replaceable>options</replaceable> </arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.8.xml:31 msgid "" "<command>SSSD</command> provides a set of daemons to manage access to remote " "directories and authentication mechanisms. It provides an NSS and PAM " "interface toward the system and a pluggable backend system to connect to " "multiple different account sources as well as D-Bus interface. It is also " "the basis to provide client auditing and policy services for projects like " "FreeIPA. It provides a more robust database to store local users as well as " "extended user data." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.8.xml:46 msgid "" "<option>-d</option>,<option>--debug-level</option> " "<replaceable>LEVEL</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.8.xml:53 msgid "<option>--debug-timestamps=</option><replaceable>mode</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:57 msgid "<emphasis>1</emphasis>: Add a timestamp to the debug messages" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:60 msgid "<emphasis>0</emphasis>: Disable timestamp in the debug messages" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.8.xml:69 msgid "<option>--debug-microseconds=</option><replaceable>mode</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:73 msgid "<emphasis>1</emphasis>: Add microseconds to the timestamp in debug messages" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:76 msgid "<emphasis>0</emphasis>: Disable microseconds in timestamp" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.8.xml:85 msgid "<option>--logger=</option><replaceable>value</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:89 msgid "Location where SSSD will send log messages." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:92 msgid "" "<emphasis>stderr</emphasis>: Redirect debug messages to standard error " "output." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:96 msgid "" "<emphasis>files</emphasis>: Redirect debug messages to the log files. By " "default, the log files are stored in <filename>/var/log/sssd</filename> and " "there are separate log files for every SSSD service and domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:102 msgid "<emphasis>journald</emphasis>: Redirect debug messages to systemd-journald" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:106 msgid "Default: not set (fall back to journald if available, otherwise to stderr)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.8.xml:113 msgid "<option>-D</option>,<option>--daemon</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:117 msgid "Become a daemon after starting up." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.8.xml:123 sss_seed.8.xml:136 msgid "<option>-i</option>,<option>--interactive</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:127 msgid "Run in the foreground, don't become a daemon." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.8.xml:133 msgid "<option>-c</option>,<option>--config</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:137 msgid "" "Specify a non-default config file. The default is " "<filename>/etc/sssd/sssd.conf</filename>. For reference on the config file " "syntax and options, consult the <citerefentry> " "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.8.xml:150 msgid "<option>-g</option>,<option>--genconf</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:154 msgid "" "Do not start the SSSD, but refresh the configuration database from the " "contents of <filename>/etc/sssd/sssd.conf</filename> and exit." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.8.xml:162 msgid "<option>-s</option>,<option>--genconf-section</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:166 msgid "" "Similar to <quote>--genconf</quote>, but only refresh a single section from " "the configuration file. This option is useful mainly to be called from " "systemd unit files to allow socket-activated responders to refresh their " "configuration without requiring the administrator to restart the whole SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.8.xml:178 msgid "<option>--version</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:182 msgid "Print version number and exit." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd.8.xml:190 msgid "Signals" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.8.xml:193 msgid "SIGTERM/SIGINT" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:196 msgid "" "Informs the SSSD to gracefully terminate all of its child processes and then " "shut down the monitor." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.8.xml:202 msgid "SIGHUP" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:205 msgid "" "Tells the SSSD to stop writing to its current debug file descriptors and to " "close and reopen them. This is meant to facilitate log rolling with programs " "like logrotate." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.8.xml:213 msgid "SIGUSR1" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:216 msgid "" "Tells the SSSD to simulate offline operation for the duration of the " "<quote>offline_timeout</quote> parameter. This is useful for testing. The " "signal can be sent to either the sssd process or any sssd_be process " "directly." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd.8.xml:225 msgid "SIGUSR2" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd.8.xml:228 msgid "" "Tells the SSSD to go online immediately. This is useful for testing. The " "signal can be sent to either the sssd process or any sssd_be process " "directly." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.8.xml:240 msgid "" "If the environment variable SSS_NSS_USE_MEMCACHE is set to \"NO\", client " "applications will not use the fast in-memory cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd.8.xml:244 msgid "" "If the environment variable SSS_LOCKFREE is set to \"NO\", requests from " "multiple threads of a single application will be serialized." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sss_obfuscate.8.xml:10 sss_obfuscate.8.xml:15 msgid "sss_obfuscate" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sss_obfuscate.8.xml:16 msgid "obfuscate a clear text password" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> #: sss_obfuscate.8.xml:21 msgid "" "<command>sss_obfuscate</command> <arg choice='opt'> " "<replaceable>options</replaceable> </arg> <arg " "choice='plain'><replaceable>[PASSWORD]</replaceable></arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_obfuscate.8.xml:32 msgid "" "<command>sss_obfuscate</command> converts a given password into " "human-unreadable format and places it into appropriate domain section of the " "SSSD config file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_obfuscate.8.xml:37 msgid "" "The cleartext password is read from standard input or entered " "interactively. The obfuscated password is put into " "<quote>ldap_default_authtok</quote> parameter of a given SSSD domain and the " "<quote>ldap_default_authtok_type</quote> parameter is set to " "<quote>obfuscated_password</quote>. Refer to <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry> for more details on these parameters." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_obfuscate.8.xml:49 msgid "" "Please note that obfuscating the password provides <emphasis>no real " "security benefit</emphasis> as it is still possible for an attacker to " "reverse-engineer the password back. Using better authentication mechanisms " "such as client side certificates or GSSAPI is <emphasis>strongly</emphasis> " "advised." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_obfuscate.8.xml:63 msgid "<option>-s</option>,<option>--stdin</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_obfuscate.8.xml:67 msgid "The password to obfuscate will be read from standard input." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_obfuscate.8.xml:74 sss_ssh_authorizedkeys.1.xml:127 #: sss_ssh_knownhostsproxy.1.xml:78 msgid "" "<option>-d</option>,<option>--domain</option> " "<replaceable>DOMAIN</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_obfuscate.8.xml:79 msgid "" "The SSSD domain to use the password in. The default name is " "<quote>default</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_obfuscate.8.xml:86 msgid "<option>-f</option>,<option>--file</option> <replaceable>FILE</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_obfuscate.8.xml:91 msgid "Read the config file specified by the positional parameter." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_obfuscate.8.xml:95 msgid "Default: <filename>/etc/sssd/sssd.conf</filename>" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sss_override.8.xml:10 sss_override.8.xml:15 msgid "sss_override" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sss_override.8.xml:16 msgid "create local overrides of user and group attributes" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> #: sss_override.8.xml:21 msgid "" "<command>sss_override</command> <arg " "choice='plain'><replaceable>COMMAND</replaceable></arg> <arg choice='opt'> " "<replaceable>options</replaceable> </arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_override.8.xml:32 msgid "" "<command>sss_override</command> enables to create a client-side view and " "allows to change selected values of specific user and groups. This change " "takes effect only on local machine." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_override.8.xml:37 msgid "" "Overrides data are stored in the SSSD cache. If the cache is deleted, all " "local overrides are lost. Please note that after the first override is " "created using any of the following <emphasis>user-add</emphasis>, " "<emphasis>group-add</emphasis>, <emphasis>user-import</emphasis> or " "<emphasis>group-import</emphasis> command. SSSD needs to be restarted to " "take effect. <emphasis>sss_override</emphasis> prints message when a " "restart is required." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_override.8.xml:48 msgid "" "<emphasis>NOTE:</emphasis> The options provided in this man page only work " "with <quote>ldap</quote> and <quote>AD</quote> <quote> " "id_provider</quote>. IPA overrides can be managed centrally on the IPA " "server." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sss_override.8.xml:56 sssctl.8.xml:41 msgid "AVAILABLE COMMANDS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_override.8.xml:58 msgid "" "Argument <emphasis>NAME</emphasis> is the name of original object in all " "commands. It is not possible to override <emphasis>uid</emphasis> or " "<emphasis>gid</emphasis> to 0." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_override.8.xml:65 msgid "" "<option>user-add</option> <emphasis>NAME</emphasis> " "<optional><option>-n,--name</option> NAME</optional> " "<optional><option>-u,--uid</option> UID</optional> " "<optional><option>-g,--gid</option> GID</optional> " "<optional><option>-h,--home</option> HOME</optional> " "<optional><option>-s,--shell</option> SHELL</optional> " "<optional><option>-c,--gecos</option> GECOS</optional> " "<optional><option>-x,--certificate</option> BASE64 ENCODED " "CERTIFICATE</optional>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:78 msgid "" "Override attributes of an user. Please be aware that calling this command " "will replace any previous override for the (NAMEd) user." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_override.8.xml:86 msgid "<option>user-del</option> <emphasis>NAME</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:91 msgid "" "Remove user overrides. However be aware that overridden attributes might be " "returned from memory cache. Please see SSSD option " "<emphasis>memcache_timeout</emphasis> for more details." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_override.8.xml:100 msgid "" "<option>user-find</option> <optional><option>-d,--domain</option> " "DOMAIN</optional>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:105 msgid "" "List all users with set overrides. If <emphasis>DOMAIN</emphasis> parameter " "is set, only users from the domain are listed." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_override.8.xml:113 msgid "<option>user-show</option> <emphasis>NAME</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:118 msgid "Show user overrides." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_override.8.xml:124 msgid "<option>user-import</option> <emphasis>FILE</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:129 msgid "" "Import user overrides from <emphasis>FILE</emphasis>. Data format is " "similar to standard passwd file. The format is:" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:134 msgid "original_name:name:uid:gid:gecos:home:shell:base64_encoded_certificate" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:137 msgid "" "where original_name is original name of the user whose attributes should be " "overridden. The rest of fields correspond to new values. You can omit a " "value simply by leaving corresponding field empty." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:146 msgid "ckent:superman::::::" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:149 msgid "ckent@krypton.com::501:501:Superman:/home/earth:/bin/bash:" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_override.8.xml:155 msgid "<option>user-export</option> <emphasis>FILE</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:160 msgid "" "Export all overridden attributes and store them in " "<emphasis>FILE</emphasis>. See <emphasis>user-import</emphasis> for data " "format." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_override.8.xml:168 msgid "" "<option>group-add</option> <emphasis>NAME</emphasis> " "<optional><option>-n,--name</option> NAME</optional> " "<optional><option>-g,--gid</option> GID</optional>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:175 msgid "" "Override attributes of a group. Please be aware that calling this command " "will replace any previous override for the (NAMEd) group." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_override.8.xml:183 msgid "<option>group-del</option> <emphasis>NAME</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:188 msgid "" "Remove group overrides. However be aware that overridden attributes might be " "returned from memory cache. Please see SSSD option " "<emphasis>memcache_timeout</emphasis> for more details." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_override.8.xml:197 msgid "" "<option>group-find</option> <optional><option>-d,--domain</option> " "DOMAIN</optional>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:202 msgid "" "List all groups with set overrides. If <emphasis>DOMAIN</emphasis> " "parameter is set, only groups from the domain are listed." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_override.8.xml:210 msgid "<option>group-show</option> <emphasis>NAME</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:215 msgid "Show group overrides." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_override.8.xml:221 msgid "<option>group-import</option> <emphasis>FILE</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:226 msgid "" "Import group overrides from <emphasis>FILE</emphasis>. Data format is " "similar to standard group file. The format is:" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:231 msgid "original_name:name:gid" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:234 msgid "" "where original_name is original name of the group whose attributes should be " "overridden. The rest of fields correspond to new values. You can omit a " "value simply by leaving corresponding field empty." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:243 msgid "admins:administrators:" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:246 msgid "Domain Users:Users:501" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_override.8.xml:252 msgid "<option>group-export</option> <emphasis>FILE</emphasis>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_override.8.xml:257 msgid "" "Export all overridden attributes and store them in " "<emphasis>FILE</emphasis>. See <emphasis>group-import</emphasis> for data " "format." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sss_override.8.xml:267 sssctl.8.xml:50 msgid "COMMON OPTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_override.8.xml:269 sssctl.8.xml:52 msgid "Those options are available with all commands." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_override.8.xml:274 sssctl.8.xml:57 msgid "<option>--debug</option> <replaceable>LEVEL</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssd-krb5.5.xml:10 sssd-krb5.5.xml:16 msgid "sssd-krb5" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sssd-krb5.5.xml:17 msgid "SSSD Kerberos provider" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-krb5.5.xml:23 msgid "" "This manual page describes the configuration of the Kerberos 5 " "authentication backend for <citerefentry> " "<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " "</citerefentry>. For a detailed syntax reference, please refer to the " "<quote>FILE FORMAT</quote> section of the <citerefentry> " "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-krb5.5.xml:36 msgid "" "The Kerberos 5 authentication backend contains auth and chpass providers. It " "must be paired with an identity provider in order to function properly (for " "example, id_provider = ldap). Some information required by the Kerberos 5 " "authentication backend must be provided by the identity provider, such as " "the user's Kerberos Principal Name (UPN). The configuration of the identity " "provider should have an entry to specify the UPN. Please refer to the man " "page for the applicable identity provider for details on how to configure " "this." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-krb5.5.xml:47 msgid "" "This backend also provides access control based on the .k5login file in the " "home directory of the user. See <citerefentry> " "<refentrytitle>k5login</refentrytitle><manvolnum>5</manvolnum> " "</citerefentry> for more details. Please note that an empty .k5login file " "will deny all access to this user. To activate this feature, use " "'access_provider = krb5' in your SSSD configuration." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-krb5.5.xml:55 msgid "" "In the case where the UPN is not available in the identity backend, " "<command>sssd</command> will construct a UPN using the format " "<replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:77 msgid "" "Specifies the comma-separated list of IP addresses or hostnames of the " "Kerberos servers to which SSSD should connect, in the order of " "preference. For more information on failover and server redundancy, see the " "<quote>FAILOVER</quote> section. An optional port number (preceded by a " "colon) may be appended to the addresses or hostnames. If empty, service " "discovery is enabled; for more information, refer to the <quote>SERVICE " "DISCOVERY</quote> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:106 msgid "" "The name of the Kerberos realm. This option is required and must be " "specified." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:113 msgid "krb5_kpasswd, krb5_backup_kpasswd (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:116 msgid "" "If the change password service is not running on the KDC, alternative " "servers can be defined here. An optional port number (preceded by a colon) " "may be appended to the addresses or hostnames." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:122 msgid "" "For more information on failover and server redundancy, see the " "<quote>FAILOVER</quote> section. NOTE: Even if there are no more kpasswd " "servers to try, the backend is not switched to operate offline if " "authentication against the KDC is still possible." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:129 msgid "Default: Use the KDC" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:135 msgid "krb5_ccachedir (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:138 msgid "" "Directory to store credential caches. All the substitution sequences of " "krb5_ccname_template can be used here, too, except %d and %P. The directory " "is created as private and owned by the user, with permissions set to 0700." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:145 msgid "Default: /tmp" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:151 msgid "krb5_ccname_template (string)" msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:165 include/override_homedir.xml:11 msgid "%u" msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:166 include/override_homedir.xml:12 msgid "login name" msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:169 include/override_homedir.xml:15 msgid "%U" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:170 msgid "login UID" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:173 msgid "%p" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:174 msgid "principal name" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:178 msgid "%r" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:179 msgid "realm name" msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:182 include/override_homedir.xml:42 msgid "%h" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:183 sssd-ifp.5.xml:124 msgid "home directory" msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:187 include/override_homedir.xml:19 msgid "%d" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:188 msgid "value of krb5_ccachedir" msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:193 include/override_homedir.xml:31 msgid "%P" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:194 msgid "the process ID of the SSSD client" msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:199 include/override_homedir.xml:56 msgid "%%" msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:200 include/override_homedir.xml:57 msgid "a literal '%'" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:154 msgid "" "Location of the user's credential cache. Three credential cache types are " "currently supported: <quote>FILE</quote>, <quote>DIR</quote> and " "<quote>KEYRING:persistent</quote>. The cache can be specified either as " "<replaceable>TYPE:RESIDUAL</replaceable>, or as an absolute path, which " "implies the <quote>FILE</quote> type. In the template, the following " "sequences are substituted: <placeholder type=\"variablelist\" id=\"0\"/> If " "the template ends with 'XXXXXX' mkstemp(3) is used to create a unique " "filename in a safe way." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:208 msgid "" "When using KEYRING types, the only supported mechanism is " "<quote>KEYRING:persistent:%U</quote>, which uses the Linux kernel keyring to " "store credentials on a per-UID basis. This is also the recommended choice, " "as it is the most secure and predictable method." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:216 msgid "" "The default value for the credential cache name is sourced from the profile " "stored in the system wide krb5.conf configuration file in the [libdefaults] " "section. The option name is default_ccache_name. See krb5.conf(5)'s " "PARAMETER EXPANSION paragraph for additional information on the expansion " "format defined by krb5.conf." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:225 msgid "" "NOTE: Please be aware that libkrb5 ccache expansion template from " "<citerefentry> <refentrytitle>krb5.conf</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry> uses different expansion sequences " "than SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:234 msgid "Default: (from libkrb5)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:240 msgid "krb5_keytab (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:243 msgid "" "The location of the keytab to use when validating credentials obtained from " "KDCs." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:253 msgid "krb5_store_password_if_offline (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:256 msgid "" "Store the password of the user if the provider is offline and use it to " "request a TGT when the provider comes online again." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:261 msgid "" "NOTE: this feature is only available on Linux. Passwords stored in this way " "are kept in plaintext in the kernel keyring and are potentially accessible " "by the root user (with difficulty)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:274 msgid "krb5_use_fast (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:277 msgid "" "Enables flexible authentication secure tunneling (FAST) for Kerberos " "pre-authentication. The following options are supported:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:282 msgid "" "<emphasis>never</emphasis> use FAST. This is equivalent to not setting this " "option at all." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:286 msgid "" "<emphasis>try</emphasis> to use FAST. If the server does not support FAST, " "continue the authentication without it." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:291 msgid "" "<emphasis>demand</emphasis> to use FAST. The authentication fails if the " "server does not require fast." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:296 msgid "Default: not set, i.e. FAST is not used." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:299 msgid "NOTE: a keytab or support for anonymous PKINIT is required to use FAST." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:303 msgid "" "NOTE: SSSD supports FAST only with MIT Kerberos version 1.8 and later. If " "SSSD is used with an older version of MIT Kerberos, using this option is a " "configuration error." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:312 msgid "krb5_fast_principal (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:315 msgid "Specifies the server principal to use for FAST." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:321 msgid "krb5_fast_use_anonymous_pkinit (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:324 msgid "" "If set to true try to use anonymous PKINIT instead of a keytab to get the " "required credential for FAST. The krb5_fast_principal options is ignored in " "this case." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:364 msgid "krb5_kdcinfo_lookahead (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:367 msgid "" "When krb5_use_kdcinfo is set to true, you can limit the amount of servers " "handed to <citerefentry> " "<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " "<manvolnum>8</manvolnum> </citerefentry>. This might be helpful when there " "are too many servers discovered using SRV record." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:377 msgid "" "The krb5_kdcinfo_lookahead option contains two numbers separated by a " "colon. The first number represents number of primary servers used and the " "second number specifies the number of backup servers." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:383 msgid "" "For example <emphasis>10:0</emphasis> means that up to 10 primary servers " "will be handed to <citerefentry> " "<refentrytitle>sssd_krb5_locator_plugin</refentrytitle> " "<manvolnum>8</manvolnum> </citerefentry> but no backup servers." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:392 msgid "Default: 3:1" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:398 msgid "krb5_use_enterprise_principal (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:401 msgid "" "Specifies if the user principal should be treated as enterprise " "principal. See section 5 of RFC 6806 for more details about enterprise " "principals." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:407 msgid "Default: false (AD provider: true)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:410 msgid "" "The IPA provider will set to option to 'true' if it detects that the server " "is capable of handling enterprise principals and the option is not set " "explicitly in the config file." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:419 msgid "krb5_use_subdomain_realm (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:422 msgid "" "Specifies to use subdomains realms for the authentication of users from " "trusted domains. This option can be set to 'true' if enterprise principals " "are used with upnSuffixes which are not known on the parent domain KDCs. If " "the option is set to 'true' SSSD will try to send the request directly to a " "KDC of the trusted domain the user is coming from." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-krb5.5.xml:438 msgid "krb5_map_user (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:441 msgid "" "The list of mappings is given as a comma-separated list of pairs " "<quote>username:primary</quote> where <quote>username</quote> is a UNIX user " "name and <quote>primary</quote> is a user part of a kerberos principal. This " "mapping is used when user is authenticating using <quote>auth_provider = " "krb5</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para><programlisting> #: sssd-krb5.5.xml:453 #, no-wrap msgid "" "krb5_realm = REALM\n" "krb5_map_user = joe:juser,dick:richard\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-krb5.5.xml:458 msgid "" "<quote>joe</quote> and <quote>dick</quote> are UNIX user names and " "<quote>juser</quote> and <quote>richard</quote> are primaries of kerberos " "principals. For user <quote>joe</quote> resp. <quote>dick</quote> SSSD will " "try to kinit as <quote>juser@REALM</quote> resp. " "<quote>richard@REALM</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-krb5.5.xml:65 msgid "" "If the auth-module krb5 is used in an SSSD domain, the following options " "must be used. See the <citerefentry> " "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry> manual page, section <quote>DOMAIN SECTIONS</quote>, for " "details on the configuration of an SSSD domain. <placeholder " "type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-krb5.5.xml:485 msgid "" "The following example assumes that SSSD is correctly configured and FOO is " "one of the domains in the <replaceable>[sssd]</replaceable> section. This " "example shows only configuration of Kerberos authentication; it does not " "include any identity provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-krb5.5.xml:493 #, no-wrap msgid "" "[domain/FOO]\n" "auth_provider = krb5\n" "krb5_server = 192.168.1.1\n" "krb5_realm = EXAMPLE.COM\n" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sss_cache.8.xml:10 sss_cache.8.xml:15 msgid "sss_cache" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sss_cache.8.xml:16 msgid "perform cache cleanup" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> #: sss_cache.8.xml:21 msgid "" "<command>sss_cache</command> <arg choice='opt'> " "<replaceable>options</replaceable> </arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_cache.8.xml:31 msgid "" "<command>sss_cache</command> invalidates records in SSSD cache. Invalidated " "records are forced to be reloaded from server as soon as related SSSD " "backend is online. Options that invalidate a single object only accept a " "single provided argument." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_cache.8.xml:43 msgid "<option>-E</option>,<option>--everything</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_cache.8.xml:47 msgid "Invalidate all cached entries." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_cache.8.xml:53 msgid "<option>-u</option>,<option>--user</option> <replaceable>login</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_cache.8.xml:58 msgid "Invalidate specific user." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_cache.8.xml:64 msgid "<option>-U</option>,<option>--users</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_cache.8.xml:68 msgid "" "Invalidate all user records. This option overrides invalidation of specific " "user if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_cache.8.xml:75 msgid "" "<option>-g</option>,<option>--group</option> " "<replaceable>group</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_cache.8.xml:80 msgid "Invalidate specific group." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_cache.8.xml:86 msgid "<option>-G</option>,<option>--groups</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_cache.8.xml:90 msgid "" "Invalidate all group records. This option overrides invalidation of specific " "group if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_cache.8.xml:97 msgid "" "<option>-n</option>,<option>--netgroup</option> " "<replaceable>netgroup</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_cache.8.xml:102 msgid "Invalidate specific netgroup." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_cache.8.xml:108 msgid "<option>-N</option>,<option>--netgroups</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_cache.8.xml:112 msgid "" "Invalidate all netgroup records. This option overrides invalidation of " "specific netgroup if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_cache.8.xml:119 msgid "" "<option>-s</option>,<option>--service</option> " "<replaceable>service</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_cache.8.xml:124 msgid "Invalidate specific service." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_cache.8.xml:130 msgid "<option>-S</option>,<option>--services</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_cache.8.xml:134 msgid "" "Invalidate all service records. This option overrides invalidation of " "specific service if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_cache.8.xml:141 msgid "" "<option>-a</option>,<option>--autofs-map</option> " "<replaceable>autofs-map</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_cache.8.xml:146 msgid "Invalidate specific autofs maps." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_cache.8.xml:152 msgid "<option>-A</option>,<option>--autofs-maps</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_cache.8.xml:156 msgid "" "Invalidate all autofs maps. This option overrides invalidation of specific " "map if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_cache.8.xml:163 msgid "" "<option>-h</option>,<option>--ssh-host</option> " "<replaceable>hostname</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_cache.8.xml:168 msgid "Invalidate SSH public keys of a specific host." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_cache.8.xml:174 msgid "<option>-H</option>,<option>--ssh-hosts</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_cache.8.xml:178 msgid "" "Invalidate SSH public keys of all hosts. This option overrides invalidation " "of SSH public keys of specific host if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_cache.8.xml:186 msgid "" "<option>-r</option>,<option>--sudo-rule</option> " "<replaceable>rule</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_cache.8.xml:191 msgid "Invalidate particular sudo rule." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_cache.8.xml:197 msgid "<option>-R</option>,<option>--sudo-rules</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_cache.8.xml:201 msgid "" "Invalidate all cached sudo rules. This option overrides invalidation of " "specific sudo rule if it was also set." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_cache.8.xml:209 msgid "" "<option>-d</option>,<option>--domain</option> " "<replaceable>domain</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_cache.8.xml:214 msgid "Restrict invalidation process only to a particular domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sss_cache.8.xml:224 msgid "EFFECTS ON THE FAST MEMORY CACHE" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_cache.8.xml:226 msgid "" "<command>sss_cache</command> also invalidates the memory cache. Since the " "memory cache is a file which is mapped into the memory of each process which " "called SSSD to resolve users or groups the file cannot be truncated. A " "special flag is set in the header of the file to indicate that the content " "is invalid and then the file is unlinked by SSSD's NSS responder and a new " "cache file is created. Whenever a process is now doing a new lookup for a " "user or a group it will see the flag, close the old memory cache file and " "map the new one into its memory. When all processes which had opened the old " "memory cache file have closed it while looking up a user or a group the " "kernel can release the occupied disk space and the old memory cache file is " "finally removed completely." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_cache.8.xml:240 msgid "" "A special case is long running processes which are doing user or group " "lookups only at startup, e.g. to determine the name of the user the process " "is running as. For those lookups the memory cache file is mapped into the " "memory of the process. But since there will be no further lookups this " "process would never detect if the memory cache file was invalidated and " "hence it will be kept in memory and will occupy disk space until the process " "stops. As a result calling <command>sss_cache</command> might increase the " "disk usage because old memory cache files cannot be removed from the disk " "because they are still mapped by long running processes." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_cache.8.xml:252 msgid "" "A possible work-around for long running processes which are looking up users " "and groups only at startup or very rarely is to run them with the " "environment variable SSS_NSS_USE_MEMCACHE set to \"NO\" so that they won't " "use the memory cache at all and not map the memory cache file into the " "memory. In general a better solution is to tune the cache timeout parameters " "so that they meet the local expectations and calling " "<command>sss_cache</command> is not needed." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sss_debuglevel.8.xml:10 sss_debuglevel.8.xml:15 msgid "sss_debuglevel" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sss_debuglevel.8.xml:16 msgid "[DEPRECATED] change debug level while SSSD is running" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> #: sss_debuglevel.8.xml:21 msgid "" "<command>sss_debuglevel</command> <arg choice='opt'> " "<replaceable>options</replaceable> </arg> <arg " "choice='plain'><replaceable>NEW_DEBUG_LEVEL</replaceable></arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_debuglevel.8.xml:32 msgid "" "<command>sss_debuglevel</command> is deprecated and replaced by the sssctl " "debug-level command. Please refer to the <command>sssctl</command> man page " "for more information on sssctl usage." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sss_seed.8.xml:10 sss_seed.8.xml:15 msgid "sss_seed" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sss_seed.8.xml:16 msgid "seed the SSSD cache with a user" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> #: sss_seed.8.xml:21 msgid "" "<command>sss_seed</command> <arg choice='opt'> " "<replaceable>options</replaceable> </arg> <arg choice='plain'>-D " "<replaceable>DOMAIN</replaceable></arg> <arg choice='plain'>-n " "<replaceable>USER</replaceable></arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_seed.8.xml:33 msgid "" "<command>sss_seed</command> seeds the SSSD cache with a user entry and " "temporary password. If a user entry is already present in the SSSD cache " "then the entry is updated with the temporary password." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_seed.8.xml:46 msgid "" "<option>-D</option>,<option>--domain</option> " "<replaceable>DOMAIN</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_seed.8.xml:51 msgid "" "Provide the name of the domain in which the user is a member of. The domain " "is also used to retrieve user information. The domain must be configured in " "sssd.conf. The <replaceable>DOMAIN</replaceable> option must be provided. " "Information retrieved from the domain overrides what is provided in the " "options." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_seed.8.xml:63 msgid "" "<option>-n</option>,<option>--username</option> " "<replaceable>USER</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_seed.8.xml:68 msgid "" "The username of the entry to be created or modified in the cache. The " "<replaceable>USER</replaceable> option must be provided." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_seed.8.xml:76 msgid "<option>-u</option>,<option>--uid</option> <replaceable>UID</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_seed.8.xml:81 msgid "Set the UID of the user to <replaceable>UID</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_seed.8.xml:88 msgid "<option>-g</option>,<option>--gid</option> <replaceable>GID</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_seed.8.xml:93 msgid "Set the GID of the user to <replaceable>GID</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_seed.8.xml:100 msgid "" "<option>-c</option>,<option>--gecos</option> " "<replaceable>COMMENT</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_seed.8.xml:105 msgid "" "Any text string describing the user. Often used as the field for the user's " "full name." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_seed.8.xml:112 msgid "" "<option>-h</option>,<option>--home</option> " "<replaceable>HOME_DIR</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_seed.8.xml:117 msgid "Set the home directory of the user to <replaceable>HOME_DIR</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_seed.8.xml:124 msgid "" "<option>-s</option>,<option>--shell</option> " "<replaceable>SHELL</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_seed.8.xml:129 msgid "Set the login shell of the user to <replaceable>SHELL</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_seed.8.xml:140 msgid "" "Interactive mode for entering user information. This option will only prompt " "for information not provided in the options or retrieved from the domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_seed.8.xml:148 msgid "" "<option>-p</option>,<option>--password-file</option> " "<replaceable>PASS_FILE</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_seed.8.xml:153 msgid "" "Specify file to read user's password from. (if not specified password is " "prompted for)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_seed.8.xml:165 msgid "" "The length of the password (or the size of file specified with -p or " "--password-file option) must be less than or equal to PASS_MAX bytes (64 " "bytes on systems with no globally-defined PASS_MAX value)." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssd-ifp.5.xml:10 sssd-ifp.5.xml:16 msgid "sssd-ifp" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sssd-ifp.5.xml:17 msgid "SSSD InfoPipe responder" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ifp.5.xml:23 msgid "" "This manual page describes the configuration of the InfoPipe responder for " "<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " "</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " "FORMAT</quote> section of the <citerefentry> " "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ifp.5.xml:36 msgid "" "The InfoPipe responder provides a public D-Bus interface accessible over the " "system bus. The interface allows the user to query information about remote " "users and groups over the system bus." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd-ifp.5.xml:43 msgid "FIND BY VALID CERTIFICATE" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd-ifp.5.xml:45 msgid "" "The following options can be used to control how the certificates are " "validated when using the FindByValidCertificate() API:" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> #: sssd-ifp.5.xml:48 sss_ssh_authorizedkeys.1.xml:92 msgid "ca_db" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> #: sssd-ifp.5.xml:49 sss_ssh_authorizedkeys.1.xml:93 msgid "p11_child_timeout" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><itemizedlist><listitem><para> #: sssd-ifp.5.xml:50 sss_ssh_authorizedkeys.1.xml:94 msgid "certificate_verification" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd-ifp.5.xml:52 msgid "" "For more details about the options see " "<citerefentry><refentrytitle>sssd.conf</refentrytitle> " "<manvolnum>5</manvolnum></citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ifp.5.xml:62 msgid "These options can be used to configure the InfoPipe responder." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-ifp.5.xml:69 msgid "" "Specifies the comma-separated list of UID values or user names that are " "allowed to access the InfoPipe responder. User names are resolved to UIDs at " "startup." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-ifp.5.xml:75 msgid "Default: 0 (only the root user is allowed to access the InfoPipe responder)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-ifp.5.xml:79 msgid "" "Please note that although the UID 0 is used as the default it will be " "overwritten with this option. If you still want to allow the root user to " "access the InfoPipe responder, which would be the typical case, you have to " "add 0 to the list of allowed UIDs as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-ifp.5.xml:93 msgid "Specifies the comma-separated list of white or blacklisted attributes." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd-ifp.5.xml:107 msgid "name" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd-ifp.5.xml:108 msgid "user's login name" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd-ifp.5.xml:111 msgid "uidNumber" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd-ifp.5.xml:112 msgid "user ID" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd-ifp.5.xml:115 msgid "gidNumber" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd-ifp.5.xml:116 msgid "primary group ID" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd-ifp.5.xml:119 msgid "gecos" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd-ifp.5.xml:120 msgid "user information, typically full name" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd-ifp.5.xml:123 msgid "homeDirectory" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><term> #: sssd-ifp.5.xml:127 msgid "loginShell" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: sssd-ifp.5.xml:128 msgid "user shell" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-ifp.5.xml:97 msgid "" "By default, the InfoPipe responder only allows the default set of POSIX " "attributes to be requested. This set is the same as returned by " "<citerefentry> <refentrytitle>getpwnam</refentrytitle> " "<manvolnum>3</manvolnum> </citerefentry> and includes: <placeholder " "type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para><programlisting> #: sssd-ifp.5.xml:141 #, no-wrap msgid "" "user_attributes = +telephoneNumber, -loginShell\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-ifp.5.xml:133 msgid "" "It is possible to add another attribute to this set by using " "<quote>+attr_name</quote> or explicitly remove an attribute using " "<quote>-attr_name</quote>. For example, to allow " "<quote>telephoneNumber</quote> but deny <quote>loginShell</quote>, you would " "use the following configuration: <placeholder type=\"programlisting\" " "id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-ifp.5.xml:145 msgid "Default: not set. Only the default set of POSIX attributes is allowed." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-ifp.5.xml:155 msgid "" "Specifies an upper limit on the number of entries that are downloaded during " "a wildcard lookup that overrides caller-supplied limit." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-ifp.5.xml:160 msgid "Default: 0 (let the caller set an upper limit)" msgstr "" #. type: Content of: <reference><refentry><refentryinfo> #: sss_rpcidmapd.5.xml:8 msgid "" "<productname>sss rpc.idmapd plugin</productname> <author> " "<firstname>Noam</firstname> <surname>Meltzer</surname> <affiliation> " "<orgname>Primary Data Inc.</orgname> </affiliation> <contrib>Developer " "(2013-2014)</contrib> </author> <author> <firstname>Noam</firstname> " "<surname>Meltzer</surname> <contrib>Developer (2014-)</contrib> " "<email>tsnoam@gmail.com</email> </author>" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sss_rpcidmapd.5.xml:26 sss_rpcidmapd.5.xml:32 msgid "sss_rpcidmapd" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sss_rpcidmapd.5.xml:33 msgid "sss plugin configuration directives for rpc.idmapd" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sss_rpcidmapd.5.xml:37 msgid "CONFIGURATION FILE" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_rpcidmapd.5.xml:39 msgid "" "rpc.idmapd configuration file is usually found at " "<emphasis>/etc/idmapd.conf</emphasis>. See <citerefentry> " "<refentrytitle>idmapd.conf</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry> for more information." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sss_rpcidmapd.5.xml:49 msgid "SSS CONFIGURATION EXTENSION" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sss_rpcidmapd.5.xml:51 msgid "Enable SSS plugin" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss_rpcidmapd.5.xml:53 msgid "" "In section <quote>[Translation]</quote>, modify/set <quote>Method</quote> " "attribute to contain <emphasis>sss</emphasis>." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sss_rpcidmapd.5.xml:59 msgid "[sss] config section" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss_rpcidmapd.5.xml:61 msgid "" "In order to change the default of one of the configuration attributes of the " "<emphasis>sss</emphasis> plugin listed below you will need to create a " "config section for it, named <quote>[sss]</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><title> #: sss_rpcidmapd.5.xml:67 msgid "Configuration attributes" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sss_rpcidmapd.5.xml:69 msgid "memcache (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sss_rpcidmapd.5.xml:72 msgid "Indicates whether or not to use memcache optimisation technique." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sss_rpcidmapd.5.xml:85 msgid "SSSD INTEGRATION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_rpcidmapd.5.xml:87 msgid "" "The sss plugin requires the <emphasis>NSS Responder</emphasis> to be enabled " "in sssd." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_rpcidmapd.5.xml:91 msgid "" "The attribute <quote>use_fully_qualified_names</quote> must be enabled on " "all domains (NFSv4 clients expect a fully qualified name to be sent on the " "wire)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sss_rpcidmapd.5.xml:103 #, no-wrap msgid "" "[General]\n" "Verbosity = 2\n" "# domain must be synced between NFSv4 server and clients\n" "# Solaris/Illumos/AIX use \"localdomain\" as default!\n" "Domain = default\n" "\n" "[Mapping]\n" "Nobody-User = nfsnobody\n" "Nobody-Group = nfsnobody\n" "\n" "[Translation]\n" "Method = sss\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_rpcidmapd.5.xml:100 msgid "" "The following example shows a minimal idmapd.conf which makes use of the sss " "plugin. <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <refsect1><title> #: sss_rpcidmapd.5.xml:120 sssd-kcm.8.xml:316 include/seealso.xml:2 msgid "SEE ALSO" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_rpcidmapd.5.xml:122 msgid "" "<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> " "</citerefentry>, <citerefentry> <refentrytitle>idmapd.conf</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry>" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sss_ssh_authorizedkeys.1.xml:10 sss_ssh_authorizedkeys.1.xml:15 msgid "sss_ssh_authorizedkeys" msgstr "" #. type: Content of: <reference><refentry><refmeta><manvolnum> #: sss_ssh_authorizedkeys.1.xml:11 sss_ssh_knownhostsproxy.1.xml:11 msgid "1" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sss_ssh_authorizedkeys.1.xml:16 msgid "get OpenSSH authorized keys" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> #: sss_ssh_authorizedkeys.1.xml:21 msgid "" "<command>sss_ssh_authorizedkeys</command> <arg choice='opt'> " "<replaceable>options</replaceable> </arg> <arg " "choice='plain'><replaceable>USER</replaceable></arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_ssh_authorizedkeys.1.xml:32 msgid "" "<command>sss_ssh_authorizedkeys</command> acquires SSH public keys for user " "<replaceable>USER</replaceable> and outputs them in OpenSSH authorized_keys " "format (see the <quote>AUTHORIZED_KEYS FILE FORMAT</quote> section of " "<citerefentry><refentrytitle>sshd</refentrytitle> " "<manvolnum>8</manvolnum></citerefentry> for more information)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_ssh_authorizedkeys.1.xml:41 msgid "" "<citerefentry><refentrytitle>sshd</refentrytitle> " "<manvolnum>8</manvolnum></citerefentry> can be configured to use " "<command>sss_ssh_authorizedkeys</command> for public key user authentication " "if it is compiled with support for <quote>AuthorizedKeysCommand</quote> " "option. Please refer to the <citerefentry> " "<refentrytitle>sshd_config</refentrytitle> " "<manvolnum>5</manvolnum></citerefentry> man page for more details about this " "option." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sss_ssh_authorizedkeys.1.xml:59 #, no-wrap msgid "" " AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys\n" " AuthorizedKeysCommandUser nobody\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_ssh_authorizedkeys.1.xml:52 msgid "" "If <quote>AuthorizedKeysCommand</quote> is supported, " "<citerefentry><refentrytitle>sshd</refentrytitle> " "<manvolnum>8</manvolnum></citerefentry> can be configured to use it by " "putting the following directives in <citerefentry> " "<refentrytitle>sshd_config</refentrytitle> " "<manvolnum>5</manvolnum></citerefentry>: <placeholder " "type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sss_ssh_authorizedkeys.1.xml:65 msgid "KEYS FROM CERTIFICATES" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss_ssh_authorizedkeys.1.xml:67 msgid "" "In addition to the public SSH keys for user <replaceable>USER</replaceable> " "<command>sss_ssh_authorizedkeys</command> can return public SSH keys derived " "from the public key of a X.509 certificate as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss_ssh_authorizedkeys.1.xml:73 msgid "" "To enable this the <quote>ssh_use_certificate_keys</quote> option must be " "set to true (default) in the [ssh] section of " "<filename>sssd.conf</filename>. If the user entry contains certificates (see " "<quote>ldap_user_certificate</quote> in " "<citerefentry><refentrytitle>sssd-ldap</refentrytitle> " "<manvolnum>5</manvolnum></citerefentry> for details) or there is a " "certificate in an override entry for the user (see " "<citerefentry><refentrytitle>sss_override</refentrytitle> " "<manvolnum>8</manvolnum></citerefentry> or " "<citerefentry><refentrytitle>sssd-ipa</refentrytitle> " "<manvolnum>5</manvolnum></citerefentry> for details) and the certificate is " "valid SSSD will extract the public key from the certificate and convert it " "into the format expected by sshd." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss_ssh_authorizedkeys.1.xml:90 msgid "Besides <quote>ssh_use_certificate_keys</quote> the options" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss_ssh_authorizedkeys.1.xml:96 msgid "" "can be used to control how the certificates are validated (see " "<citerefentry><refentrytitle>sssd.conf</refentrytitle> " "<manvolnum>5</manvolnum></citerefentry> for details)." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss_ssh_authorizedkeys.1.xml:101 msgid "" "The validation is the benefit of using X.509 certificates instead of SSH " "keys directly because e.g. it gives a better control of the lifetime of the " "keys. When the ssh client is configured to use the private keys from a " "Smartcard with the help of a PKCS#11 shared library (see " "<citerefentry><refentrytitle>ssh</refentrytitle> " "<manvolnum>1</manvolnum></citerefentry> for details) it might be irritating " "that authentication is still working even if the related X.509 certificate " "on the Smartcard is already expired because neither <command>ssh</command> " "nor <command>sshd</command> will look at the certificate at all." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sss_ssh_authorizedkeys.1.xml:114 msgid "" "It has to be noted that the derived public SSH key can still be added to the " "<filename>authorized_keys</filename> file of the user to bypass the " "certificate validation if the <command>sshd</command> configuration permits " "this." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_ssh_authorizedkeys.1.xml:132 msgid "" "Search for user public keys in SSSD domain " "<replaceable>DOMAIN</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sss_ssh_authorizedkeys.1.xml:141 sss_ssh_knownhostsproxy.1.xml:102 msgid "EXIT STATUS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_ssh_authorizedkeys.1.xml:143 sss_ssh_knownhostsproxy.1.xml:104 msgid "" "In case of success, an exit value of 0 is returned. Otherwise, 1 is " "returned." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sss_ssh_knownhostsproxy.1.xml:10 sss_ssh_knownhostsproxy.1.xml:15 msgid "sss_ssh_knownhostsproxy" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sss_ssh_knownhostsproxy.1.xml:16 msgid "get OpenSSH host keys" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> #: sss_ssh_knownhostsproxy.1.xml:21 msgid "" "<command>sss_ssh_knownhostsproxy</command> <arg choice='opt'> " "<replaceable>options</replaceable> </arg> <arg " "choice='plain'><replaceable>HOST</replaceable></arg> <arg " "choice='opt'><replaceable>PROXY_COMMAND</replaceable></arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_ssh_knownhostsproxy.1.xml:33 msgid "" "<command>sss_ssh_knownhostsproxy</command> acquires SSH host public keys for " "host <replaceable>HOST</replaceable>, stores them in a custom OpenSSH " "known_hosts file (see the <quote>SSH_KNOWN_HOSTS FILE FORMAT</quote> section " "of <citerefentry><refentrytitle>sshd</refentrytitle> " "<manvolnum>8</manvolnum></citerefentry> for more information) " "<filename>/var/lib/sss/pubconf/known_hosts</filename> and establishes the " "connection to the host." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_ssh_knownhostsproxy.1.xml:43 msgid "" "If <replaceable>PROXY_COMMAND</replaceable> is specified, it is used to " "create the connection to the host instead of opening a socket." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sss_ssh_knownhostsproxy.1.xml:55 #, no-wrap msgid "" "ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h\n" "GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sss_ssh_knownhostsproxy.1.xml:48 msgid "" "<citerefentry><refentrytitle>ssh</refentrytitle> " "<manvolnum>1</manvolnum></citerefentry> can be configured to use " "<command>sss_ssh_knownhostsproxy</command> for host key authentication by " "using the following directives for " "<citerefentry><refentrytitle>ssh</refentrytitle> " "<manvolnum>1</manvolnum></citerefentry> configuration: <placeholder " "type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_ssh_knownhostsproxy.1.xml:66 msgid "<option>-p</option>,<option>--port</option> <replaceable>PORT</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_ssh_knownhostsproxy.1.xml:71 msgid "" "Use port <replaceable>PORT</replaceable> to connect to the host. By " "default, port 22 is used." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_ssh_knownhostsproxy.1.xml:83 msgid "" "Search for host public keys in SSSD domain " "<replaceable>DOMAIN</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sss_ssh_knownhostsproxy.1.xml:89 msgid "<option>-k</option>,<option>--pubkey</option>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sss_ssh_knownhostsproxy.1.xml:93 msgid "Print the host ssh public keys for host <replaceable>HOST</replaceable>." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: idmap_sss.8.xml:10 idmap_sss.8.xml:15 msgid "idmap_sss" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: idmap_sss.8.xml:16 msgid "SSSD's idmap_sss Backend for Winbind" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: idmap_sss.8.xml:22 msgid "" "The idmap_sss module provides a way to call SSSD to map UIDs/GIDs and " "SIDs. No database is required in this case as the mapping is done by SSSD." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: idmap_sss.8.xml:29 msgid "IDMAP OPTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: idmap_sss.8.xml:33 msgid "range = low - high" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: idmap_sss.8.xml:35 msgid "" "Defines the available matching UID and GID range for which the backend is " "authoritative." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: idmap_sss.8.xml:45 msgid "This example shows how to configure idmap_sss as the default mapping module." msgstr "" #. type: Content of: <reference><refentry><refsect1><programlisting> #: idmap_sss.8.xml:50 #, no-wrap msgid "" "[global]\n" "security = ads\n" "workgroup = <AD-DOMAIN-SHORTNAME>\n" "\n" "idmap config <AD-DOMAIN-SHORTNAME> : backend = sss\n" "idmap config <AD-DOMAIN-SHORTNAME> : range = " "200000-2147483647\n" "\n" "idmap config * : backend = tdb\n" "idmap config * : range = 100000-199999\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: idmap_sss.8.xml:62 msgid "" "Please replace <AD-DOMAIN-SHORTNAME> with the NetBIOS domain name of " "the AD domain. If multiple AD domains should be used each domain needs an " "<literal>idmap config</literal> line with <literal>backend = sss</literal> " "and a line with a suitable <literal>range</literal>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: idmap_sss.8.xml:69 msgid "" "Since Winbind requires a writeable default backend and idmap_sss is " "read-only the example includes <literal>backend = tdb</literal> as default." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssctl.8.xml:10 sssctl.8.xml:15 msgid "sssctl" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sssctl.8.xml:16 msgid "SSSD control and status utility" msgstr "" #. type: Content of: <reference><refentry><refsynopsisdiv><cmdsynopsis> #: sssctl.8.xml:21 msgid "" "<command>sssctl</command> <arg " "choice='plain'><replaceable>COMMAND</replaceable></arg> <arg choice='opt'> " "<replaceable>options</replaceable> </arg>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssctl.8.xml:32 msgid "" "<command>sssctl</command> provides a simple and unified way to obtain " "information about SSSD status, such as active server, auto-discovered " "servers, domains and cached objects. In addition, it can manage SSSD data " "files for troubleshooting in such a way that is safe to manipulate while " "SSSD is running." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssctl.8.xml:43 msgid "" "To list all available commands run <command>sssctl</command> without any " "parameters. To print help for selected command run <command>sssctl COMMAND " "--help</command>." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssd-files.5.xml:10 sssd-files.5.xml:16 msgid "sssd-files" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sssd-files.5.xml:17 msgid "SSSD files provider" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-files.5.xml:23 msgid "" "This manual page describes the files provider for <citerefentry> " "<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " "</citerefentry>. For a detailed syntax reference, refer to the <quote>FILE " "FORMAT</quote> section of the <citerefentry> " "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-files.5.xml:36 msgid "" "The files provider mirrors the content of the <citerefentry> " "<refentrytitle>passwd</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry> and <citerefentry> <refentrytitle>group</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry> files. The purpose of the files " "provider is to make the users and groups traditionally only accessible with " "NSS interfaces also available through the SSSD interfaces such as " "<citerefentry> <refentrytitle>sssd-ifp</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-files.5.xml:55 msgid "Another reason is to provide efficient caching of local users and groups." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-files.5.xml:58 msgid "" "Please note that besides explicit domain definition the files provider can " "be configured also implicitly using 'enable_files_domain' option. See " "<citerefentry> <refentrytitle>sssd.conf</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry> for details." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-files.5.xml:66 msgid "" "SSSD never handles resolution of user/group \"root\". Also resolution of " "UID/GID 0 is not handled by SSSD. Such requests are passed to next NSS " "module (usually files)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-files.5.xml:71 msgid "" "When SSSD is not running or responding, nss_sss returns the UNAVAIL code " "which causes the request to be passed to the next module." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-files.5.xml:95 msgid "passwd_files (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-files.5.xml:98 msgid "" "Comma-separated list of one or multiple password filenames to be read and " "enumerated by the files provider, inotify monitor watches will be set on " "each file to detect changes dynamically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-files.5.xml:104 msgid "Default: /etc/passwd" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-files.5.xml:110 msgid "group_files (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-files.5.xml:113 msgid "" "Comma-separated list of one or multiple group filenames to be read and " "enumerated by the files provider, inotify monitor watches will be set on " "each file to detect changes dynamically." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-files.5.xml:119 msgid "Default: /etc/group" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-files.5.xml:125 msgid "fallback_to_nss (boolean)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-files.5.xml:128 msgid "" "While updating the internal data SSSD will return an error and let the " "client continue with the next NSS module. This helps to avoid delays when " "using the default system files <filename>/etc/passwd</filename> and " "<filename>/etc/group</filename> and the NSS configuration has 'sss' before " "'files' for the 'passwd' and 'group' maps." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-files.5.xml:138 msgid "" "If the files provider is configured to monitor other files it makes sense to " "set this option to 'False' to avoid inconsistent behavior because in general " "there would be no other NSS module which can be used as a fallback." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-files.5.xml:79 msgid "" "In addition to the options listed below, generic SSSD domain options can be " "set where applicable. Refer to the section <quote>DOMAIN SECTIONS</quote> " "of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry> manual page for details on the " "configuration of an SSSD domain. But the purpose of the files provider is to " "expose the same data as the UNIX files, just through the SSSD " "interfaces. Therefore not all generic domain options are " "supported. Likewise, some global options, such as overriding the shell in " "the <quote>nss</quote> section for all domains has no effect on the files " "domain unless explicitly specified per-domain. <placeholder " "type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-files.5.xml:157 msgid "" "The following example assumes that SSSD is correctly configured and files is " "one of the domains in the <replaceable>[sssd]</replaceable> section." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-files.5.xml:163 #, no-wrap msgid "" "[domain/files]\n" "id_provider = files\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-files.5.xml:168 msgid "" "To leverage caching of local users and groups by SSSD nss_sss module must be " "listed before nss_files module in /etc/nsswitch.conf." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-files.5.xml:174 #, no-wrap msgid "" "passwd: sss files\n" "group: sss files\n" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssd-session-recording.5.xml:10 sssd-session-recording.5.xml:16 msgid "sssd-session-recording" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sssd-session-recording.5.xml:17 msgid "Configuring session recording with SSSD" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-session-recording.5.xml:23 msgid "" "This manual page describes how to configure <citerefentry> " "<refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> </citerefentry> " "to work with <citerefentry> <refentrytitle>tlog-rec-session</refentrytitle> " "<manvolnum>8</manvolnum> </citerefentry>, a part of tlog package, to " "implement user session recording on text terminals. For a detailed " "configuration syntax reference, refer to the <quote>FILE FORMAT</quote> " "section of the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-session-recording.5.xml:41 msgid "" "SSSD can be set up to enable recording of everything specific users see or " "type during their sessions on text terminals. E.g. when users log in on the " "console, or via SSH. SSSD itself doesn't record anything, but makes sure " "tlog-rec-session is started upon user login, so it can record according to " "its configuration." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-session-recording.5.xml:48 msgid "" "For users with session recording enabled, SSSD replaces the user shell with " "tlog-rec-session in NSS responses, and adds a variable specifying the " "original shell to the user environment, upon PAM session setup. This way " "tlog-rec-session can be started in place of the user shell, and know which " "actual shell to start, once it set up the recording." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-session-recording.5.xml:60 msgid "These options can be used to configure the session recording." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-session-recording.5.xml:178 msgid "" "The following snippet of sssd.conf enables session recording for users " "\"contractor1\" and \"contractor2\", and group \"students\"." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-session-recording.5.xml:183 #, no-wrap msgid "" "[session_recording]\n" "scope = some\n" "users = contractor1, contractor2\n" "groups = students\n" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssd-kcm.8.xml:10 sssd-kcm.8.xml:16 msgid "sssd-kcm" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sssd-kcm.8.xml:17 msgid "SSSD Kerberos Cache Manager" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:23 msgid "" "This manual page describes the configuration of the SSSD Kerberos Cache " "Manager (KCM). KCM is a process that stores, tracks and manages Kerberos " "credential caches. It originates in the Heimdal Kerberos project, although " "the MIT Kerberos library also provides client side (more details on that " "below) support for the KCM credential cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:31 msgid "" "In a setup where Kerberos caches are managed by KCM, the Kerberos library " "(typically used through an application, like e.g., <citerefentry> " "<refentrytitle>kinit</refentrytitle><manvolnum>1</manvolnum> " "</citerefentry>, is a <quote>\"KCM client\"</quote> and the KCM daemon is " "being referred to as a <quote>\"KCM server\"</quote>. The client and server " "communicate over a UNIX socket." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:42 msgid "" "The KCM server keeps track of each credential caches's owner and performs " "access check control based on the UID and GID of the KCM client. The root " "user has access to all credential caches." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:47 msgid "The KCM credential cache has several interesting properties:" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd-kcm.8.xml:51 msgid "" "since the process runs in userspace, it is subject to UID namespacing, " "unlike the kernel keyring" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd-kcm.8.xml:56 msgid "" "unlike the kernel keyring-based cache, which is shared between all " "containers, the KCM server is a separate process whose entry point is a UNIX " "socket" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd-kcm.8.xml:61 msgid "" "the SSSD implementation stores the ccaches in a database, typically located " "at <replaceable>/var/lib/sss/secrets</replaceable> allowing the ccaches to " "survive KCM server restarts or machine reboots." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:67 msgid "" "This allows the system to use a collection-aware credential cache, yet share " "the credential cache between some or no containers by bind-mounting the " "socket." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:72 msgid "" "The KCM default client idle timeout is 5 minutes, this allows more time for " "user interaction with command line tools such as kinit." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-kcm.8.xml:78 msgid "USING THE KCM CREDENTIAL CACHE" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-kcm.8.xml:88 #, no-wrap msgid "" "[libdefaults]\n" " default_ccache_name = KCM:\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:80 msgid "" "In order to use KCM credential cache, it must be selected as the default " "credential type in <citerefentry> " "<refentrytitle>krb5.conf</refentrytitle><manvolnum>5</manvolnum> " "</citerefentry>, The credentials cache name must be only <quote>KCM:</quote> " "without any template expansions. For example: <placeholder " "type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:93 msgid "" "Next, make sure the Kerberos client libraries and the KCM server must agree " "on the UNIX socket path. By default, both use the same path " "<replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>. To configure " "the Kerberos library, change its <quote>kcm_socket</quote> option which is " "described in the <citerefentry> " "<refentrytitle>krb5.conf</refentrytitle><manvolnum>5</manvolnum> " "</citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-kcm.8.xml:115 #, no-wrap msgid "" "systemctl start sssd-kcm.socket\n" "systemctl enable sssd-kcm.socket\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:104 msgid "" "Finally, make sure the SSSD KCM server can be contacted. The KCM service is " "typically socket-activated by <citerefentry> " "<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> " "</citerefentry>. Unlike other SSSD services, it cannot be started by adding " "the <quote>kcm</quote> string to the <quote>service</quote> directive. " "<placeholder type=\"programlisting\" id=\"0\"/> Please note your " "distribution may already configure the units for you." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-kcm.8.xml:124 msgid "THE CREDENTIAL CACHE STORAGE" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:126 msgid "" "The credential caches are stored in a database, much like SSSD caches user " "or group entries. The database is typically located at " "<quote>/var/lib/sss/secrets</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-kcm.8.xml:133 msgid "OBTAINING DEBUG LOGS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-kcm.8.xml:144 #, no-wrap msgid "" "[kcm]\n" "debug_level = 10\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-kcm.8.xml:149 sssd-kcm.8.xml:211 #, no-wrap msgid "" "systemctl restart sssd-kcm.service\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:135 msgid "" "The sssd-kcm service is typically socket-activated <citerefentry> " "<refentrytitle>systemd</refentrytitle> <manvolnum>1</manvolnum> " "</citerefentry>. To generate debug logs, add the following either to the " "<filename>/etc/sssd/sssd.conf</filename> file directly or as a configuration " "snippet to <filename>/etc/sssd/conf.d/</filename> directory: <placeholder " "type=\"programlisting\" id=\"0\"/> Then, restart the sssd-kcm service: " "<placeholder type=\"programlisting\" id=\"1\"/> Finally, run whatever " "use-case doesn't work for you. The KCM logs will be generated at " "<filename>/var/log/sssd/sssd_kcm.log</filename>. It is recommended to " "disable the debug logs when you no longer need the debugging to be enabled " "as the sssd-kcm service can generate quite a large amount of debugging " "information." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:159 msgid "" "Please note that configuration snippets are, at the moment, only processed " "if the main configuration file at <filename>/etc/sssd/sssd.conf</filename> " "exists at all." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-kcm.8.xml:166 msgid "RENEWALS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-kcm.8.xml:174 #, no-wrap msgid "" "tgt_renewal = true\n" "krb5_renew_interval = 60m\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:168 msgid "" "The sssd-kcm service can be configured to attempt TGT renewal for renewable " "TGTs stored in the KCM ccache. Renewals are only attempted when half of the " "ticket lifetime has been reached. KCM Renewals are configured when the " "following options are set in the [kcm] section: <placeholder " "type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:179 msgid "SSSD can also inherit krb5 options for renewals from an existing domain." msgstr "" #. type: Content of: <reference><refentry><refsect1><programlisting> #: sssd-kcm.8.xml:183 #, no-wrap msgid "" "tgt_renewal = true\n" "tgt_renewal_inherit = domain-name\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd-kcm.8.xml:191 #, no-wrap msgid "" "krb5_renew_interval\n" "krb5_renewable_lifetime\n" "krb5_lifetime\n" "krb5_validate\n" "krb5_canonicalize\n" "krb5_auth_timeout\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:187 msgid "" "The following krb5 options can be configured in the [kcm] section to control " "renewal behavior, these options are described in detail below <placeholder " "type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:204 msgid "" "The KCM service is configured in the <quote>kcm</quote> section of the " "sssd.conf file. Please note that because the KCM service is typically " "socket-activated, it is enough to just restart the <quote>sssd-kcm</quote> " "service after changing options in the <quote>kcm</quote> section of " "sssd.conf: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:215 msgid "" "The KCM service is configured in the <quote>kcm</quote> For a detailed " "syntax reference, refer to the <quote>FILE FORMAT</quote> section of the " "<citerefentry> <refentrytitle>sssd.conf</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry> manual page." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:223 msgid "" "The generic SSSD service options such as <quote>debug_level</quote> or " "<quote>fd_limit</quote> are accepted by the kcm service. Please refer to " "the <citerefentry> <refentrytitle>sssd.conf</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry> manual page for a complete list. In " "addition, there are some KCM-specific options as well." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd-kcm.8.xml:234 msgid "socket_path (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-kcm.8.xml:237 msgid "The socket the KCM service will listen on." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-kcm.8.xml:240 msgid "Default: <replaceable>/var/run/.heim_org.h5l.kcm-socket</replaceable>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-kcm.8.xml:243 msgid "" "<phrase condition=\"have_systemd\"> Note: on platforms where systemd is " "supported, the socket path is overwritten by the one defined in the " "sssd-kcm.socket unit file. </phrase>" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd-kcm.8.xml:252 msgid "max_ccaches (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-kcm.8.xml:255 msgid "How many credential caches does the KCM database allow for all users." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-kcm.8.xml:259 msgid "Default: 0 (unlimited, only the per-UID quota is enforced)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd-kcm.8.xml:264 msgid "max_uid_ccaches (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-kcm.8.xml:267 msgid "" "How many credential caches does the KCM database allow per UID. This is " "equivalent to <quote>with how many principals you can kinit</quote>." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-kcm.8.xml:272 msgid "Default: 64" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd-kcm.8.xml:277 msgid "max_ccache_size (integer)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-kcm.8.xml:280 msgid "" "How big can a credential cache be per ccache. Each service ticket accounts " "into this quota." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-kcm.8.xml:284 msgid "Default: 65536" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd-kcm.8.xml:289 msgid "tgt_renewal (bool)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-kcm.8.xml:292 msgid "Enables TGT renewals functionality." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-kcm.8.xml:295 msgid "Default: False (Automatic renewals disabled)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd-kcm.8.xml:300 msgid "tgt_renewal_inherit (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-kcm.8.xml:303 msgid "Domain to inherit krb5_* options from, for use with TGT renewals." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-kcm.8.xml:307 msgid "Default: NULL" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-kcm.8.xml:318 msgid "" "<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> " "</citerefentry>, <citerefentry> " "<refentrytitle>sssd.conf</refentrytitle><manvolnum>5</manvolnum> " "</citerefentry>," msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssd-systemtap.5.xml:10 sssd-systemtap.5.xml:16 msgid "sssd-systemtap" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sssd-systemtap.5.xml:17 msgid "SSSD systemtap information" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-systemtap.5.xml:23 msgid "" "This manual page provides information about the systemtap functionality in " "<citerefentry> <refentrytitle>sssd</refentrytitle> <manvolnum>8</manvolnum> " "</citerefentry>." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-systemtap.5.xml:32 msgid "" "SystemTap Probe points have been added into various locations in SSSD code " "to assist in troubleshooting and analyzing performance related issues." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd-systemtap.5.xml:40 msgid "Sample SystemTap scripts are provided in /usr/share/sssd/systemtap/" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><itemizedlist><listitem><para> #: sssd-systemtap.5.xml:46 msgid "" "Probes and miscellaneous functions are defined in " "/usr/share/systemtap/tapset/sssd.stp and " "/usr/share/systemtap/tapset/sssd_functions.stp respectively." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-systemtap.5.xml:57 msgid "PROBE POINTS" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para> #: sssd-systemtap.5.xml:59 sssd-systemtap.5.xml:367 msgid "" "The information below lists the probe points and arguments available in the " "following format:" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:64 msgid "probe $name" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:67 msgid "Description of probe point" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><programlisting> #: sssd-systemtap.5.xml:70 #, no-wrap msgid "" "variable1:datatype\n" "variable2:datatype\n" "variable3:datatype\n" "...\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd-systemtap.5.xml:80 msgid "Database Transaction Probes" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:84 msgid "probe sssd_transaction_start" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:87 msgid "Start of a sysdb transaction, probes the sysdb_transaction_start() function." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> #: sssd-systemtap.5.xml:91 sssd-systemtap.5.xml:105 sssd-systemtap.5.xml:118 #: sssd-systemtap.5.xml:131 #, no-wrap msgid "" "nesting:integer\n" "probestr:string\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:97 msgid "probe sssd_transaction_cancel" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:100 msgid "" "Cancellation of a sysdb transaction, probes the sysdb_transaction_cancel() " "function." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:111 msgid "probe sssd_transaction_commit_before" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:114 msgid "Probes the sysdb_transaction_commit_before() function." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:124 msgid "probe sssd_transaction_commit_after" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:127 msgid "Probes the sysdb_transaction_commit_after() function." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd-systemtap.5.xml:141 msgid "LDAP Search Probes" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:145 msgid "probe sdap_search_send" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:148 msgid "Probes the sdap_get_generic_ext_send() function." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> #: sssd-systemtap.5.xml:152 #, no-wrap msgid "" "base:string\n" "scope:integer\n" "filter:string\n" "attrs:string\n" "probestr:string\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:161 msgid "probe sdap_search_recv" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:164 msgid "Probes the sdap_get_generic_ext_recv() function." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> #: sssd-systemtap.5.xml:168 sssd-systemtap.5.xml:222 #, no-wrap msgid "" "base:string\n" "scope:integer\n" "filter:string\n" "probestr:string\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:176 msgid "probe sdap_parse_entry" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:179 msgid "" "Probes the sdap_parse_entry() function. It is called repeatedly with every " "received attribute." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> #: sssd-systemtap.5.xml:184 #, no-wrap msgid "" "attr:string\n" "value:string\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:190 msgid "probe sdap_parse_entry_done" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:193 msgid "" "Probes the sdap_parse_entry() function. It is called when parsing of " "received object is finished." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:201 msgid "probe sdap_deref_send" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:204 msgid "Probes the sdap_deref_search_send() function." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> #: sssd-systemtap.5.xml:208 #, no-wrap msgid "" "base_dn:string\n" "deref_attr:string\n" "probestr:string\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:215 msgid "probe sdap_deref_recv" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:218 msgid "Probes the sdap_deref_search_recv() function." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd-systemtap.5.xml:234 msgid "LDAP Account Request Probes" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:238 msgid "probe sdap_acct_req_send" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:241 msgid "Probes the sdap_acct_req_send() function." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> #: sssd-systemtap.5.xml:245 sssd-systemtap.5.xml:260 #, no-wrap msgid "" "entry_type:int\n" "filter_type:int\n" "filter_value:string\n" "extra_value:string\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:253 msgid "probe sdap_acct_req_recv" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:256 msgid "Probes the sdap_acct_req_recv() function." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd-systemtap.5.xml:272 msgid "LDAP User Search Probes" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:276 msgid "probe sdap_search_user_send" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:279 msgid "Probes the sdap_search_user_send() function." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> #: sssd-systemtap.5.xml:283 sssd-systemtap.5.xml:295 sssd-systemtap.5.xml:307 #: sssd-systemtap.5.xml:319 #, no-wrap msgid "" "filter:string\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:288 msgid "probe sdap_search_user_recv" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:291 msgid "Probes the sdap_search_user_recv() function." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:300 msgid "probe sdap_search_user_save_begin" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:303 msgid "Probes the sdap_search_user_save_begin() function." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:312 msgid "probe sdap_search_user_save_end" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:315 msgid "Probes the sdap_search_user_save_end() function." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd-systemtap.5.xml:328 msgid "Data Provider Request Probes" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:332 msgid "probe dp_req_send" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:335 msgid "A Data Provider request is submitted." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> #: sssd-systemtap.5.xml:338 #, no-wrap msgid "" "dp_req_domain:string\n" "dp_req_name:string\n" "dp_req_target:int\n" "dp_req_method:int\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:346 msgid "probe dp_req_done" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:349 msgid "A Data Provider request is completed." msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><para><variablelist><varlistentry><listitem><programlisting> #: sssd-systemtap.5.xml:352 #, no-wrap msgid "" "dp_req_name:string\n" "dp_req_target:int\n" "dp_req_method:int\n" "dp_ret:int\n" "dp_errorstr:string\n" " " msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><title> #: sssd-systemtap.5.xml:365 msgid "MISCELLANEOUS FUNCTIONS" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:372 msgid "function acct_req_desc(entry_type)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:375 msgid "Convert entry_type to string and return string" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:380 msgid "" "function sssd_acct_req_probestr(fc_name, entry_type, filter_type, " "filter_value, extra_value)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:384 msgid "Create probe string based on filter type" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:389 msgid "function dp_target_str(target)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:392 msgid "Convert target to string and return string" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:397 msgid "function dp_method_str(target)" msgstr "" #. type: Content of: <reference><refentry><refsect1><refsect2><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:400 msgid "Convert method to string and return string" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-systemtap.5.xml:410 msgid "SAMPLE SYSTEMTAP SCRIPTS" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-systemtap.5.xml:412 msgid "" "Start the SystemTap script (<command>stap " "/usr/share/sssd/systemtap/<script_name>.stp</command>), then perform " "an identity operation and the script will collect information from probes." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-systemtap.5.xml:418 msgid "Provided SystemTap scripts are:" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:422 msgid "dp_request.stp" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:425 msgid "Monitoring of data provider request performance." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:430 msgid "id_perf.stp" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:433 msgid "Monitoring of <command>id</command> command performance." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:439 msgid "ldap_perf.stp" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:442 msgid "Monitoring of LDAP queries." msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><term> #: sssd-systemtap.5.xml:447 msgid "nested_group_perf.stp" msgstr "" #. type: Content of: <reference><refentry><refsect1><variablelist><varlistentry><listitem><para> #: sssd-systemtap.5.xml:450 msgid "Performance of nested groups resolving." msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssd-ldap-attributes.5.xml:10 sssd-ldap-attributes.5.xml:16 msgid "sssd-ldap-attributes" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sssd-ldap-attributes.5.xml:17 msgid "SSSD LDAP Provider: Mapping Attributes" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd-ldap-attributes.5.xml:23 msgid "" "This manual page describes the mapping attributes of SSSD LDAP provider " "<citerefentry> <refentrytitle>sssd-ldap</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry>. Refer to the <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry> manual page for full details about SSSD LDAP provider " "configuration options." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap-attributes.5.xml:38 msgid "USER ATTRIBUTES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:42 msgid "ldap_user_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:45 msgid "The object class of a user entry in LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:48 msgid "Default: posixAccount" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:54 msgid "ldap_user_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:57 msgid "The LDAP attribute that corresponds to the user's login name." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:61 msgid "Default: uid (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:68 msgid "ldap_user_uid_number (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:71 msgid "The LDAP attribute that corresponds to the user's id." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:75 msgid "Default: uidNumber" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:81 msgid "ldap_user_gid_number (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:84 msgid "The LDAP attribute that corresponds to the user's primary group id." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:88 sssd-ldap-attributes.5.xml:698 msgid "Default: gidNumber" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:94 msgid "ldap_user_primary_group (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:97 msgid "" "Active Directory primary group attribute for ID-mapping. Note that this " "attribute should only be set manually if you are running the " "<quote>ldap</quote> provider with ID mapping." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:103 msgid "Default: unset (LDAP), primaryGroupID (AD)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:109 msgid "ldap_user_gecos (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:112 msgid "The LDAP attribute that corresponds to the user's gecos field." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:116 msgid "Default: gecos" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:122 msgid "ldap_user_home_directory (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:125 msgid "The LDAP attribute that contains the name of the user's home directory." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:129 msgid "Default: homeDirectory (LDAP and IPA), unixHomeDirectory (AD)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:135 msgid "ldap_user_shell (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:138 msgid "The LDAP attribute that contains the path to the user's default shell." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:142 msgid "Default: loginShell" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:148 msgid "ldap_user_uuid (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:151 msgid "The LDAP attribute that contains the UUID/GUID of an LDAP user object." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:155 sssd-ldap-attributes.5.xml:724 msgid "" "Default: not set in the general case, objectGUID for AD and ipaUniqueID for " "IPA" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:162 msgid "ldap_user_objectsid (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:165 msgid "" "The LDAP attribute that contains the objectSID of an LDAP user object. This " "is usually only necessary for ActiveDirectory servers." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:170 sssd-ldap-attributes.5.xml:739 msgid "Default: objectSid for ActiveDirectory, not set for other servers." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:177 msgid "ldap_user_modify_timestamp (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:180 sssd-ldap-attributes.5.xml:749 #: sssd-ldap-attributes.5.xml:872 msgid "" "The LDAP attribute that contains timestamp of the last modification of the " "parent object." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:184 sssd-ldap-attributes.5.xml:753 #: sssd-ldap-attributes.5.xml:879 msgid "Default: modifyTimestamp" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:190 msgid "ldap_user_shadow_last_change (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:193 msgid "" "When using ldap_pwd_policy=shadow, this parameter contains the name of an " "LDAP attribute corresponding to its <citerefentry> " "<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry> counterpart (date of the last password change)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:203 msgid "Default: shadowLastChange" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:209 msgid "ldap_user_shadow_min (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:212 msgid "" "When using ldap_pwd_policy=shadow, this parameter contains the name of an " "LDAP attribute corresponding to its <citerefentry> " "<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry> counterpart (minimum password age)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:221 msgid "Default: shadowMin" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:227 msgid "ldap_user_shadow_max (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:230 msgid "" "When using ldap_pwd_policy=shadow, this parameter contains the name of an " "LDAP attribute corresponding to its <citerefentry> " "<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry> counterpart (maximum password age)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:239 msgid "Default: shadowMax" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:245 msgid "ldap_user_shadow_warning (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:248 msgid "" "When using ldap_pwd_policy=shadow, this parameter contains the name of an " "LDAP attribute corresponding to its <citerefentry> " "<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry> counterpart (password warning period)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:258 msgid "Default: shadowWarning" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:264 msgid "ldap_user_shadow_inactive (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:267 msgid "" "When using ldap_pwd_policy=shadow, this parameter contains the name of an " "LDAP attribute corresponding to its <citerefentry> " "<refentrytitle>shadow</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry> counterpart (password inactivity period)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:277 msgid "Default: shadowInactive" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:283 msgid "ldap_user_shadow_expire (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:286 msgid "" "When using ldap_pwd_policy=shadow or ldap_account_expire_policy=shadow, this " "parameter contains the name of an LDAP attribute corresponding to its " "<citerefentry> <refentrytitle>shadow</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry> counterpart (account expiration " "date)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:296 msgid "Default: shadowExpire" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:302 msgid "ldap_user_krb_last_pwd_change (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:305 msgid "" "When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " "an LDAP attribute storing the date and time of last password change in " "kerberos." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:311 msgid "Default: krbLastPwdChange" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:317 msgid "ldap_user_krb_password_expiration (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:320 msgid "" "When using ldap_pwd_policy=mit_kerberos, this parameter contains the name of " "an LDAP attribute storing the date and time when current password expires." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:326 msgid "Default: krbPasswordExpiration" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:332 msgid "ldap_user_ad_account_expires (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:335 msgid "" "When using ldap_account_expire_policy=ad, this parameter contains the name " "of an LDAP attribute storing the expiration time of the account." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:340 msgid "Default: accountExpires" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:346 msgid "ldap_user_ad_user_account_control (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:349 msgid "" "When using ldap_account_expire_policy=ad, this parameter contains the name " "of an LDAP attribute storing the user account control bit field." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:354 msgid "Default: userAccountControl" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:360 msgid "ldap_ns_account_lock (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:363 msgid "" "When using ldap_account_expire_policy=rhds or equivalent, this parameter " "determines if access is allowed or not." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:368 msgid "Default: nsAccountLock" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:374 msgid "ldap_user_nds_login_disabled (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:377 msgid "" "When using ldap_account_expire_policy=nds, this attribute determines if " "access is allowed or not." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:381 sssd-ldap-attributes.5.xml:395 msgid "Default: loginDisabled" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:387 msgid "ldap_user_nds_login_expiration_time (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:390 msgid "" "When using ldap_account_expire_policy=nds, this attribute determines until " "which date access is granted." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:401 msgid "ldap_user_nds_login_allowed_time_map (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:404 msgid "" "When using ldap_account_expire_policy=nds, this attribute determines the " "hours of a day in a week when access is granted." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:409 msgid "Default: loginAllowedTimeMap" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:415 msgid "ldap_user_principal (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:418 msgid "" "The LDAP attribute that contains the user's Kerberos User Principal Name " "(UPN)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:422 msgid "Default: krbPrincipalName" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:428 msgid "ldap_user_extra_attrs (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:431 msgid "" "Comma-separated list of LDAP attributes that SSSD would fetch along with the " "usual set of user attributes." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:436 msgid "" "The list can either contain LDAP attribute names only, or colon-separated " "tuples of SSSD cache attribute name and LDAP attribute name. In case only " "LDAP attribute name is specified, the attribute is saved to the cache " "verbatim. Using a custom SSSD attribute name might be required by " "environments that configure several SSSD domains with different LDAP " "schemas." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:446 msgid "" "Please note that several attribute names are reserved by SSSD, notably the " "<quote>name</quote> attribute. SSSD would report an error if any of the " "reserved attribute names is used as an extra attribute name." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:456 msgid "ldap_user_extra_attrs = telephoneNumber" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:459 msgid "" "Save the <quote>telephoneNumber</quote> attribute from LDAP as " "<quote>telephoneNumber</quote> to the cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:463 msgid "ldap_user_extra_attrs = phone:telephoneNumber" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:466 msgid "" "Save the <quote>telephoneNumber</quote> attribute from LDAP as " "<quote>phone</quote> to the cache." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:476 msgid "ldap_user_ssh_public_key (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:479 msgid "The LDAP attribute that contains the user's SSH public keys." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:483 sssd-ldap-attributes.5.xml:963 msgid "Default: sshPublicKey" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:489 msgid "ldap_user_fullname (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:492 msgid "The LDAP attribute that corresponds to the user's full name." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:502 msgid "ldap_user_member_of (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:505 msgid "The LDAP attribute that lists the user's group memberships." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:509 sssd-ldap-attributes.5.xml:950 msgid "Default: memberOf" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:515 msgid "ldap_user_authorized_service (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:518 msgid "" "If access_provider=ldap and ldap_access_order=authorized_service, SSSD will " "use the presence of the authorizedService attribute in the user's LDAP entry " "to determine access privilege." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:525 msgid "" "An explicit deny (!svc) is resolved first. Second, SSSD searches for " "explicit allow (svc) and finally for allow_all (*)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:530 msgid "" "Please note that the ldap_access_order configuration option " "<emphasis>must</emphasis> include <quote>authorized_service</quote> in order " "for the ldap_user_authorized_service option to work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:537 msgid "" "Some distributions (such as Fedora-29+ or RHEL-8) always include the " "<quote>systemd-user</quote> PAM service as part of the login " "process. Therefore when using service-based access control, the " "<quote>systemd-user</quote> service might need to be added to the list of " "allowed services." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:545 msgid "Default: authorizedService" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:551 msgid "ldap_user_authorized_host (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:554 msgid "" "If access_provider=ldap and ldap_access_order=host, SSSD will use the " "presence of the host attribute in the user's LDAP entry to determine access " "privilege." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:560 msgid "" "An explicit deny (!host) is resolved first. Second, SSSD searches for " "explicit allow (host) and finally for allow_all (*)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:565 msgid "" "Please note that the ldap_access_order configuration option " "<emphasis>must</emphasis> include <quote>host</quote> in order for the " "ldap_user_authorized_host option to work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:572 msgid "Default: host" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:578 msgid "ldap_user_authorized_rhost (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:581 msgid "" "If access_provider=ldap and ldap_access_order=rhost, SSSD will use the " "presence of the rhost attribute in the user's LDAP entry to determine access " "privilege. Similarly to host verification process." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:588 msgid "" "An explicit deny (!rhost) is resolved first. Second, SSSD searches for " "explicit allow (rhost) and finally for allow_all (*)." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:593 msgid "" "Please note that the ldap_access_order configuration option " "<emphasis>must</emphasis> include <quote>rhost</quote> in order for the " "ldap_user_authorized_rhost option to work." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:600 msgid "Default: rhost" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:606 msgid "ldap_user_certificate (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:609 msgid "Name of the LDAP attribute containing the X509 certificate of the user." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:613 msgid "Default: userCertificate;binary" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:619 msgid "ldap_user_email (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:622 msgid "Name of the LDAP attribute containing the email address of the user." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:626 msgid "" "Note: If an email address of a user conflicts with an email address or fully " "qualified name of another user, then SSSD will not be able to serve those " "users properly. If for some reason several users need to share the same " "email address then set this option to a nonexistent attribute name in order " "to disable user lookup/login by email." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:635 msgid "Default: mail" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:640 msgid "ldap_user_passkey (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:643 msgid "Name of the LDAP attribute containing the passkey mapping data of the user." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:647 msgid "Default: passkey (LDAP), ipaPassKey (IPA), altSecurityIdentities (AD)" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap-attributes.5.xml:657 msgid "GROUP ATTRIBUTES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:661 msgid "ldap_group_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:664 msgid "The object class of a group entry in LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:667 msgid "Default: posixGroup" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:673 msgid "ldap_group_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:676 msgid "" "The LDAP attribute that corresponds to the group name. In an environment " "with nested groups, this value must be an LDAP attribute which has a unique " "name for every group. This requirement includes non-POSIX groups in the tree " "of nested groups." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:684 msgid "Default: cn (rfc2307, rfc2307bis and IPA), sAMAccountName (AD)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:691 msgid "ldap_group_gid_number (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:694 msgid "The LDAP attribute that corresponds to the group's id." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:704 msgid "ldap_group_member (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:707 msgid "The LDAP attribute that contains the names of the group's members." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:711 msgid "Default: memberuid (rfc2307) / member (rfc2307bis)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:717 msgid "ldap_group_uuid (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:720 msgid "The LDAP attribute that contains the UUID/GUID of an LDAP group object." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:731 msgid "ldap_group_objectsid (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:734 msgid "" "The LDAP attribute that contains the objectSID of an LDAP group object. This " "is usually only necessary for ActiveDirectory servers." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:746 msgid "ldap_group_modify_timestamp (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:759 msgid "ldap_group_type (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:762 msgid "" "The LDAP attribute that contains an integer value indicating the type of the " "group and maybe other flags." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:767 msgid "" "This attribute is currently only used by the AD provider to determine if a " "group is a domain local groups and has to be filtered out for trusted " "domains." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:773 msgid "Default: groupType in the AD provider, otherwise not set" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:780 msgid "ldap_group_external_member (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:783 msgid "" "The LDAP attribute that references group members that are defined in an " "external domain. At the moment, only IPA's external members are supported." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:789 msgid "Default: ipaExternalMember in the IPA provider, otherwise unset." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap-attributes.5.xml:799 msgid "NETGROUP ATTRIBUTES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:803 msgid "ldap_netgroup_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:806 msgid "The object class of a netgroup entry in LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:809 msgid "In IPA provider, ipa_netgroup_object_class should be used instead." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:813 msgid "Default: nisNetgroup" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:819 msgid "ldap_netgroup_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:822 msgid "The LDAP attribute that corresponds to the netgroup name." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:826 msgid "In IPA provider, ipa_netgroup_name should be used instead." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:836 msgid "ldap_netgroup_member (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:839 msgid "The LDAP attribute that contains the names of the netgroup's members." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:843 msgid "In IPA provider, ipa_netgroup_member should be used instead." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:847 msgid "Default: memberNisNetgroup" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:853 msgid "ldap_netgroup_triple (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:856 msgid "The LDAP attribute that contains the (host, user, domain) netgroup triples." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:860 sssd-ldap-attributes.5.xml:876 msgid "This option is not available in IPA provider." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:863 msgid "Default: nisNetgroupTriple" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:869 msgid "ldap_netgroup_modify_timestamp (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap-attributes.5.xml:888 msgid "HOST ATTRIBUTES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:892 msgid "ldap_host_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:895 msgid "The object class of a host entry in LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:898 sssd-ldap-attributes.5.xml:995 msgid "Default: ipService" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:904 msgid "ldap_host_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:907 sssd-ldap-attributes.5.xml:933 msgid "The LDAP attribute that corresponds to the host's name." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:917 msgid "ldap_host_fqdn (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:920 msgid "" "The LDAP attribute that corresponds to the host's fully-qualified domain " "name." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:924 msgid "Default: fqdn" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:930 msgid "ldap_host_serverhostname (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:937 msgid "Default: serverHostname" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:943 msgid "ldap_host_member_of (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:946 msgid "The LDAP attribute that lists the host's group memberships." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:956 msgid "ldap_host_ssh_public_key (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:959 msgid "The LDAP attribute that contains the host's SSH public keys." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:969 msgid "ldap_host_uuid (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:972 msgid "The LDAP attribute that contains the UUID/GUID of an LDAP host object." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap-attributes.5.xml:985 msgid "SERVICE ATTRIBUTES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:989 msgid "ldap_service_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:992 msgid "The object class of a service entry in LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1001 msgid "ldap_service_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1004 msgid "" "The LDAP attribute that contains the name of service attributes and their " "aliases." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1014 msgid "ldap_service_port (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1017 msgid "The LDAP attribute that contains the port managed by this service." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1021 msgid "Default: ipServicePort" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1027 msgid "ldap_service_proto (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1030 msgid "The LDAP attribute that contains the protocols understood by this service." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1034 msgid "Default: ipServiceProtocol" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap-attributes.5.xml:1043 msgid "SUDO ATTRIBUTES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1047 msgid "ldap_sudorule_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1050 msgid "The object class of a sudo rule entry in LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1053 msgid "Default: sudoRole" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1059 msgid "ldap_sudorule_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1062 msgid "The LDAP attribute that corresponds to the sudo rule name." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1072 msgid "ldap_sudorule_command (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1075 msgid "The LDAP attribute that corresponds to the command name." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1079 msgid "Default: sudoCommand" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1085 msgid "ldap_sudorule_host (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1088 msgid "" "The LDAP attribute that corresponds to the host name (or host IP address, " "host IP network, or host netgroup)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1093 msgid "Default: sudoHost" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1099 msgid "ldap_sudorule_user (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1102 msgid "" "The LDAP attribute that corresponds to the user name (or UID, group name or " "user's netgroup)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1106 msgid "Default: sudoUser" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1112 msgid "ldap_sudorule_option (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1115 msgid "The LDAP attribute that corresponds to the sudo options." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1119 msgid "Default: sudoOption" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1125 msgid "ldap_sudorule_runasuser (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1128 msgid "" "The LDAP attribute that corresponds to the user name that commands may be " "run as." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1132 msgid "Default: sudoRunAsUser" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1138 msgid "ldap_sudorule_runasgroup (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1141 msgid "" "The LDAP attribute that corresponds to the group name or group GID that " "commands may be run as." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1145 msgid "Default: sudoRunAsGroup" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1151 msgid "ldap_sudorule_notbefore (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1154 msgid "" "The LDAP attribute that corresponds to the start date/time for when the sudo " "rule is valid." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1158 msgid "Default: sudoNotBefore" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1164 msgid "ldap_sudorule_notafter (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1167 msgid "" "The LDAP attribute that corresponds to the expiration date/time, after which " "the sudo rule will no longer be valid." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1172 msgid "Default: sudoNotAfter" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1178 msgid "ldap_sudorule_order (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1181 msgid "The LDAP attribute that corresponds to the ordering index of the rule." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1185 msgid "Default: sudoOrder" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap-attributes.5.xml:1194 msgid "AUTOFS ATTRIBUTES" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap-attributes.5.xml:1201 msgid "IP HOST ATTRIBUTES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1205 msgid "ldap_iphost_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1208 msgid "The object class of an iphost entry in LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1211 msgid "Default: ipHost" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1217 msgid "ldap_iphost_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1220 msgid "" "The LDAP attribute that contains the name of the IP host attributes and " "their aliases." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1230 msgid "ldap_iphost_number (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1233 msgid "The LDAP attribute that contains the IP host address." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1237 msgid "Default: ipHostNumber" msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd-ldap-attributes.5.xml:1246 msgid "IP NETWORK ATTRIBUTES" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1250 msgid "ldap_ipnetwork_object_class (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1253 msgid "The object class of an ipnetwork entry in LDAP." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1256 msgid "Default: ipNetwork" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1262 msgid "ldap_ipnetwork_name (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1265 msgid "" "The LDAP attribute that contains the name of the IP network attributes and " "their aliases." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><term> #: sssd-ldap-attributes.5.xml:1275 msgid "ldap_ipnetwork_number (string)" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1278 msgid "The LDAP attribute that contains the IP network address." msgstr "" #. type: Content of: <reference><refentry><refsect1><para><variablelist><varlistentry><listitem><para> #: sssd-ldap-attributes.5.xml:1282 msgid "Default: ipNetworkNumber" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refname> #: sssd_krb5_localauth_plugin.8.xml:10 sssd_krb5_localauth_plugin.8.xml:15 msgid "sssd_krb5_localauth_plugin" msgstr "" #. type: Content of: <reference><refentry><refnamediv><refpurpose> #: sssd_krb5_localauth_plugin.8.xml:16 msgid "Kerberos local authorization plugin" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd_krb5_localauth_plugin.8.xml:22 msgid "" "The Kerberos local authorization plugin " "<command>sssd_krb5_localauth_plugin</command> is used by libkrb5 to either " "find the local name for a given Kerberos principal or to check if a given " "local name and a given Kerberos principal relate to each other." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd_krb5_localauth_plugin.8.xml:29 msgid "" "SSSD handles the local names for users from a remote source and can read the " "Kerberos user principal name from the remote source as well. With this " "information SSSD can easily handle the mappings mentioned above even if the " "local name and the Kerberos principal differ considerably." msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd_krb5_localauth_plugin.8.xml:36 msgid "" "Additionally with the information read from the remote source SSSD can help " "to prevent unexpected or unwanted mappings in case the user part of the " "Kerberos principal accidentally corresponds to a local name of a different " "user. By default libkrb5 might just strip the realm part of the Kerberos " "principal to get the local name which would lead to wrong mappings in this " "case." msgstr "" #. type: Content of: <reference><refentry><refsect1><title> #: sssd_krb5_localauth_plugin.8.xml:46 msgid "CONFIGURATION" msgstr "" #. type: Content of: <reference><refentry><refsect1><para><programlisting> #: sssd_krb5_localauth_plugin.8.xml:56 #, no-wrap msgid "" "[plugins]\n" " localauth = {\n" " module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so\n" " }\n" msgstr "" #. type: Content of: <reference><refentry><refsect1><para> #: sssd_krb5_localauth_plugin.8.xml:48 msgid "" "The Kerberos local authorization plugin must be enabled explicitly in the " "Kerberos configuration, see <citerefentry> " "<refentrytitle>krb5.conf</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry>. SSSD will create a config snippet with the content like " "e.g. <placeholder type=\"programlisting\" id=\"0\"/> automatically in the " "SSSD's public Kerberos configuration snippet directory. If this directory is " "included in the local Kerberos configuration the plugin will be enabled " "automatically." msgstr "" #. type: Content of: <variablelist><varlistentry><term> #: include/autofs_attributes.xml:3 msgid "ldap_autofs_map_object_class (string)" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/autofs_attributes.xml:6 msgid "The object class of an automount map entry in LDAP." msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/autofs_attributes.xml:9 msgid "Default: nisMap (rfc2307, autofs_provider=ad), otherwise automountMap" msgstr "" #. type: Content of: <variablelist><varlistentry><term> #: include/autofs_attributes.xml:16 msgid "ldap_autofs_map_name (string)" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/autofs_attributes.xml:19 msgid "The name of an automount map entry in LDAP." msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/autofs_attributes.xml:22 msgid "" "Default: nisMapName (rfc2307, autofs_provider=ad), otherwise " "automountMapName" msgstr "" #. type: Content of: <variablelist><varlistentry><term> #: include/autofs_attributes.xml:29 msgid "ldap_autofs_entry_object_class (string)" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/autofs_attributes.xml:32 msgid "" "The object class of an automount entry in LDAP. The entry usually " "corresponds to a mount point." msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/autofs_attributes.xml:37 msgid "Default: nisObject (rfc2307, autofs_provider=ad), otherwise automount" msgstr "" #. type: Content of: <variablelist><varlistentry><term> #: include/autofs_attributes.xml:44 msgid "ldap_autofs_entry_key (string)" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/autofs_attributes.xml:47 include/autofs_attributes.xml:61 msgid "" "The key of an automount entry in LDAP. The entry usually corresponds to a " "mount point." msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/autofs_attributes.xml:51 msgid "Default: cn (rfc2307, autofs_provider=ad), otherwise automountKey" msgstr "" #. type: Content of: <variablelist><varlistentry><term> #: include/autofs_attributes.xml:58 msgid "ldap_autofs_entry_value (string)" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/autofs_attributes.xml:65 msgid "" "Default: nisMapEntry (rfc2307, autofs_provider=ad), otherwise " "automountInformation" msgstr "" #. type: Content of: <refsect1><title> #: include/service_discovery.xml:2 msgid "SERVICE DISCOVERY" msgstr "" #. type: Content of: <refsect1><para> #: include/service_discovery.xml:4 msgid "" "The service discovery feature allows back ends to automatically find the " "appropriate servers to connect to using a special DNS query. This feature is " "not supported for backup servers." msgstr "" #. type: Content of: <refsect1><refsect2><title> #: include/service_discovery.xml:9 include/ldap_id_mapping.xml:99 msgid "Configuration" msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/service_discovery.xml:11 msgid "" "If no servers are specified, the back end automatically uses service " "discovery to try to find a server. Optionally, the user may choose to use " "both fixed server addresses and service discovery by inserting a special " "keyword, <quote>_srv_</quote>, in the list of servers. The order of " "preference is maintained. This feature is useful if, for example, the user " "prefers to use service discovery whenever possible, and fall back to a " "specific server when no servers can be discovered using DNS." msgstr "" #. type: Content of: <refsect1><refsect2><title> #: include/service_discovery.xml:23 msgid "The domain name" msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/service_discovery.xml:25 msgid "" "Please refer to the <quote>dns_discovery_domain</quote> parameter in the " "<citerefentry> <refentrytitle>sssd.conf</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry> manual page for more details." msgstr "" #. type: Content of: <refsect1><refsect2><title> #: include/service_discovery.xml:35 msgid "The protocol" msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/service_discovery.xml:37 msgid "" "The queries usually specify _tcp as the protocol. Exceptions are documented " "in respective option description." msgstr "" #. type: Content of: <refsect1><refsect2><title> #: include/service_discovery.xml:42 msgid "See Also" msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/service_discovery.xml:44 msgid "For more information on the service discovery mechanism, refer to RFC 2782." msgstr "" #. type: Content of: <refentryinfo> #: include/upstream.xml:2 msgid "" "<productname>SSSD</productname> <orgname>The SSSD upstream - " "https://github.com/SSSD/sssd/</orgname>" msgstr "" #. type: Content of: outside any tag (error?) #: include/upstream.xml:1 msgid "<placeholder type=\"refentryinfo\" id=\"0\"/>" msgstr "" #. type: Content of: <refsect1><title> #: include/failover.xml:2 msgid "FAILOVER" msgstr "" #. type: Content of: <refsect1><para> #: include/failover.xml:4 msgid "" "The failover feature allows back ends to automatically switch to a different " "server if the current server fails." msgstr "" #. type: Content of: <refsect1><refsect2><title> #: include/failover.xml:8 msgid "Failover Syntax" msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/failover.xml:10 msgid "" "The list of servers is given as a comma-separated list; any number of spaces " "is allowed around the comma. The servers are listed in order of " "preference. The list can contain any number of servers." msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/failover.xml:16 msgid "" "For each failover-enabled config option, two variants exist: " "<emphasis>primary</emphasis> and <emphasis>backup</emphasis>. The idea is " "that servers in the primary list are preferred and backup servers are only " "searched if no primary servers can be reached. If a backup server is " "selected, a timeout of 31 seconds is set. After this timeout SSSD will " "periodically try to reconnect to one of the primary servers. If it succeeds, " "it will replace the current active (backup) server." msgstr "" #. type: Content of: <refsect1><refsect2><title> #: include/failover.xml:27 msgid "The Failover Mechanism" msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/failover.xml:29 msgid "" "The failover mechanism distinguishes between a machine and a service. The " "back end first tries to resolve the hostname of a given machine; if this " "resolution attempt fails, the machine is considered offline. No further " "attempts are made to connect to this machine for any other service. If the " "resolution attempt succeeds, the back end tries to connect to a service on " "this machine. If the service connection attempt fails, then only this " "particular service is considered offline and the back end automatically " "switches over to the next service. The machine is still considered online " "and might still be tried for another service." msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/failover.xml:42 msgid "" "Further connection attempts are made to machines or services marked as " "offline after a specified period of time; this is currently hard coded to 30 " "seconds." msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/failover.xml:47 msgid "" "If there are no more machines to try, the back end as a whole switches to " "offline mode, and then attempts to reconnect every 30 seconds." msgstr "" #. type: Content of: <refsect1><refsect2><title> #: include/failover.xml:53 msgid "Failover time outs and tuning" msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/failover.xml:55 msgid "" "Resolving a server to connect to can be as simple as running a single DNS " "query or can involve several steps, such as finding the correct site or " "trying out multiple host names in case some of the configured servers are " "not reachable. The more complex scenarios can take some time and SSSD needs " "to balance between providing enough time to finish the resolution process " "but on the other hand, not trying for too long before falling back to " "offline mode. If the SSSD debug logs show that the server resolution is " "timing out before a live server is contacted, you can consider changing the " "time outs." msgstr "" #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term> #: include/failover.xml:76 msgid "dns_resolver_server_timeout" msgstr "" #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: include/failover.xml:80 msgid "" "Time in milliseconds that sets how long would SSSD talk to a single DNS " "server before trying next one." msgstr "" #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term> #: include/failover.xml:90 msgid "dns_resolver_op_timeout" msgstr "" #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: include/failover.xml:94 msgid "" "Time in seconds to tell how long would SSSD try to resolve single DNS query " "(e.g. resolution of a hostname or an SRV record) before trying the next " "hostname or discovery domain." msgstr "" #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><term> #: include/failover.xml:106 msgid "dns_resolver_timeout" msgstr "" #. type: Content of: <refsect1><refsect2><para><variablelist><varlistentry><listitem><para> #: include/failover.xml:110 msgid "" "How long would SSSD try to resolve a failover service. This service " "resolution internally might include several steps, such as resolving DNS SRV " "queries or locating the site." msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/failover.xml:67 msgid "" "This section lists the available tunables. Please refer to their description " "in the <citerefentry> " "<refentrytitle>sssd.conf</refentrytitle><manvolnum>5</manvolnum> " "</citerefentry>, manual page. <placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/failover.xml:123 msgid "" "For LDAP-based providers, the resolve operation is performed as part of an " "LDAP connection operation. Therefore, also the " "<quote>ldap_opt_timeout</quote> timeout should be set to a larger value than " "<quote>dns_resolver_timeout</quote> which in turn should be set to a larger " "value than <quote>dns_resolver_op_timeout</quote> which should be larger " "than <quote>dns_resolver_server_timeout</quote>." msgstr "" #. type: Content of: <refsect1><title> #: include/ldap_id_mapping.xml:2 msgid "ID MAPPING" msgstr "" #. type: Content of: <refsect1><para> #: include/ldap_id_mapping.xml:4 msgid "" "The ID-mapping feature allows SSSD to act as a client of Active Directory " "without requiring administrators to extend user attributes to support POSIX " "attributes for user and group identifiers." msgstr "" #. type: Content of: <refsect1><para> #: include/ldap_id_mapping.xml:9 msgid "" "NOTE: When ID-mapping is enabled, the uidNumber and gidNumber attributes are " "ignored. This is to avoid the possibility of conflicts between " "automatically-assigned and manually-assigned values. If you need to use " "manually-assigned values, ALL values must be manually-assigned." msgstr "" #. type: Content of: <refsect1><para> #: include/ldap_id_mapping.xml:16 msgid "" "Please note that changing the ID mapping related configuration options will " "cause user and group IDs to change. At the moment, SSSD does not support " "changing IDs, so the SSSD database must be removed. Because cached passwords " "are also stored in the database, removing the database should only be " "performed while the authentication servers are reachable, otherwise users " "might get locked out. In order to cache the password, an authentication must " "be performed. It is not sufficient to use <citerefentry> " "<refentrytitle>sss_cache</refentrytitle> <manvolnum>8</manvolnum> " "</citerefentry> to remove the database, rather the process consists of:" msgstr "" #. type: Content of: <refsect1><para><itemizedlist><listitem><para> #: include/ldap_id_mapping.xml:33 msgid "Making sure the remote servers are reachable" msgstr "" #. type: Content of: <refsect1><para><itemizedlist><listitem><para> #: include/ldap_id_mapping.xml:38 msgid "Stopping the SSSD service" msgstr "" #. type: Content of: <refsect1><para><itemizedlist><listitem><para> #: include/ldap_id_mapping.xml:43 msgid "Removing the database" msgstr "" #. type: Content of: <refsect1><para><itemizedlist><listitem><para> #: include/ldap_id_mapping.xml:48 msgid "Starting the SSSD service" msgstr "" #. type: Content of: <refsect1><para> #: include/ldap_id_mapping.xml:52 msgid "" "Moreover, as the change of IDs might necessitate the adjustment of other " "system properties such as file and directory ownership, it's advisable to " "plan ahead and test the ID mapping configuration thoroughly." msgstr "" #. type: Content of: <refsect1><refsect2><title> #: include/ldap_id_mapping.xml:59 msgid "Mapping Algorithm" msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/ldap_id_mapping.xml:61 msgid "" "Active Directory provides an objectSID for every user and group object in " "the directory. This objectSID can be broken up into components that " "represent the Active Directory domain identity and the relative identifier " "(RID) of the user or group object." msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/ldap_id_mapping.xml:67 msgid "" "The SSSD ID-mapping algorithm takes a range of available UIDs and divides it " "into equally-sized component sections - called \"slices\"-. Each slice " "represents the space available to an Active Directory domain." msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/ldap_id_mapping.xml:73 msgid "" "When a user or group entry for a particular domain is encountered for the " "first time, the SSSD allocates one of the available slices for that " "domain. In order to make this slice-assignment repeatable on different " "client machines, we select the slice based on the following algorithm:" msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/ldap_id_mapping.xml:80 msgid "" "The SID string is passed through the murmurhash3 algorithm to convert it to " "a 32-bit hashed value. We then take the modulus of this value with the total " "number of available slices to pick the slice." msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/ldap_id_mapping.xml:86 msgid "" "NOTE: It is possible to encounter collisions in the hash and subsequent " "modulus. In these situations, we will select the next available slice, but " "it may not be possible to reproduce the same exact set of slices on other " "machines (since the order that they are encountered will determine their " "slice). In this situation, it is recommended to either switch to using " "explicit POSIX attributes in Active Directory (disabling ID-mapping) or " "configure a default domain to guarantee that at least one is always " "consistent. See <quote>Configuration</quote> for details." msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/ldap_id_mapping.xml:101 msgid "Minimum configuration (in the <quote>[domain/DOMAINNAME]</quote> section):" msgstr "" #. type: Content of: <refsect1><refsect2><para><programlisting> #: include/ldap_id_mapping.xml:106 #, no-wrap msgid "" "ldap_id_mapping = True\n" "ldap_schema = ad\n" msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/ldap_id_mapping.xml:111 msgid "" "The default configuration results in configuring 10,000 slices, each capable " "of holding up to 200,000 IDs, starting from 200,000 and going up to " "2,000,200,000. This should be sufficient for most deployments." msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><title> #: include/ldap_id_mapping.xml:117 msgid "Advanced Configuration" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> #: include/ldap_id_mapping.xml:120 msgid "ldap_idmap_range_min (integer)" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:123 msgid "" "Specifies the lower (inclusive) bound of the range of POSIX IDs to use for " "mapping Active Directory user and group SIDs. It is the first POSIX ID which " "can be used for the mapping." msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:129 msgid "" "NOTE: This option is different from <quote>min_id</quote> in that " "<quote>min_id</quote> acts to filter the output of requests to this domain, " "whereas this option controls the range of ID assignment. This is a subtle " "distinction, but the good general advice would be to have " "<quote>min_id</quote> be less-than or equal to " "<quote>ldap_idmap_range_min</quote>" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:139 include/ldap_id_mapping.xml:197 msgid "Default: 200000" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> #: include/ldap_id_mapping.xml:144 msgid "ldap_idmap_range_max (integer)" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:147 msgid "" "Specifies the upper (exclusive) bound of the range of POSIX IDs to use for " "mapping Active Directory user and group SIDs. It is the first POSIX ID which " "cannot be used for the mapping anymore, i.e. one larger than the last one " "which can be used for the mapping." msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:155 msgid "" "NOTE: This option is different from <quote>max_id</quote> in that " "<quote>max_id</quote> acts to filter the output of requests to this domain, " "whereas this option controls the range of ID assignment. This is a subtle " "distinction, but the good general advice would be to have " "<quote>max_id</quote> be greater-than or equal to " "<quote>ldap_idmap_range_max</quote>" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:165 msgid "Default: 2000200000" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> #: include/ldap_id_mapping.xml:170 msgid "ldap_idmap_range_size (integer)" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:173 msgid "" "Specifies the number of IDs available for each slice. If the range size " "does not divide evenly into the min and max values, it will create as many " "complete slices as it can." msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:179 msgid "" "NOTE: The value of this option must be at least as large as the highest user " "RID planned for use on the Active Directory server. User lookups and login " "will fail for any user whose RID is greater than this value." msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:185 msgid "" "For example, if your most recently-added Active Directory user has " "objectSid=S-1-5-21-2153326666-2176343378-3404031434-1107, " "<quote>ldap_idmap_range_size</quote> must be at least 1108 as range size is " "equal to maximal SID minus minimal SID plus one (e.g. 1108 = 1107 - 0 + 1)." msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:192 msgid "" "It is important to plan ahead for future expansion, as changing this value " "will result in changing all of the ID mappings on the system, leading to " "users with different local IDs than they previously had." msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> #: include/ldap_id_mapping.xml:202 msgid "ldap_idmap_default_domain_sid (string)" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:205 msgid "" "Specify the domain SID of the default domain. This will guarantee that this " "domain will always be assigned to slice zero in the ID map, bypassing the " "murmurhash algorithm described above." msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> #: include/ldap_id_mapping.xml:216 msgid "ldap_idmap_default_domain (string)" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:219 msgid "Specify the name of the default domain." msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> #: include/ldap_id_mapping.xml:227 msgid "ldap_idmap_autorid_compat (boolean)" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:230 msgid "" "Changes the behavior of the ID-mapping algorithm to behave more similarly to " "winbind's <quote>idmap_autorid</quote> algorithm." msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:235 msgid "" "When this option is configured, domains will be allocated starting with " "slice zero and increasing monotonically with each additional domain." msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:240 msgid "" "NOTE: This algorithm is non-deterministic (it depends on the order that " "users and groups are requested). If this mode is required for compatibility " "with machines running winbind, it is recommended to also use the " "<quote>ldap_idmap_default_domain_sid</quote> option to guarantee that at " "least one domain is consistently allocated to slice zero." msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><term> #: include/ldap_id_mapping.xml:255 msgid "ldap_idmap_helper_table_size (integer)" msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:258 msgid "" "Maximal number of secondary slices that is tried when performing mapping " "from UNIX id to SID." msgstr "" #. type: Content of: <refsect1><refsect2><refsect3><variablelist><varlistentry><listitem><para> #: include/ldap_id_mapping.xml:262 msgid "" "Note: Additional secondary slices might be generated when SID is being " "mapped to UNIX id and RID part of SID is out of range for secondary slices " "generated so far. If value of ldap_idmap_helper_table_size is equal to 0 " "then no additional secondary slices are generated." msgstr "" #. type: Content of: <refsect1><refsect2><title> #: include/ldap_id_mapping.xml:279 msgid "Well-Known SIDs" msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/ldap_id_mapping.xml:281 msgid "" "SSSD supports to look up the names of Well-Known SIDs, i.e. SIDs with a " "special hardcoded meaning. Since the generic users and groups related to " "those Well-Known SIDs have no equivalent in a Linux/UNIX environment no " "POSIX IDs are available for those objects." msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/ldap_id_mapping.xml:287 msgid "" "The SID name space is organized in authorities which can be seen as " "different domains. The authorities for the Well-Known SIDs are" msgstr "" #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> #: include/ldap_id_mapping.xml:290 msgid "Null Authority" msgstr "" #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> #: include/ldap_id_mapping.xml:291 msgid "World Authority" msgstr "" #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> #: include/ldap_id_mapping.xml:292 msgid "Local Authority" msgstr "" #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> #: include/ldap_id_mapping.xml:293 msgid "Creator Authority" msgstr "" #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> #: include/ldap_id_mapping.xml:294 msgid "Mandatory Label Authority" msgstr "" #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> #: include/ldap_id_mapping.xml:295 msgid "Authentication Authority" msgstr "" #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> #: include/ldap_id_mapping.xml:296 msgid "NT Authority" msgstr "" #. type: Content of: <refsect1><refsect2><para><itemizedlist><listitem><para> #: include/ldap_id_mapping.xml:297 msgid "Built-in" msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/ldap_id_mapping.xml:299 msgid "" "The capitalized version of these names are used as domain names when " "returning the fully qualified name of a Well-Known SID." msgstr "" #. type: Content of: <refsect1><refsect2><para> #: include/ldap_id_mapping.xml:303 msgid "" "Since some utilities allow to modify SID based access control information " "with the help of a name instead of using the SID directly SSSD supports to " "look up the SID by the name as well. To avoid collisions only the fully " "qualified names can be used to look up Well-Known SIDs. As a result the " "domain names <quote>NULL AUTHORITY</quote>, <quote>WORLD AUTHORITY</quote>, " "<quote>LOCAL AUTHORITY</quote>, <quote>CREATOR AUTHORITY</quote>, " "<quote>MANDATORY LABEL AUTHORITY</quote>, <quote>AUTHENTICATION " "AUTHORITY</quote>, <quote>NT AUTHORITY</quote> and <quote>BUILTIN</quote> " "should not be used as domain names in <filename>sssd.conf</filename>." msgstr "" #. type: Content of: <varlistentry><term> #: include/param_help.xml:3 msgid "<option>-?</option>,<option>--help</option>" msgstr "" #. type: Content of: <varlistentry><listitem><para> #: include/param_help.xml:7 include/param_help_py.xml:7 msgid "Display help message and exit." msgstr "" #. type: Content of: <varlistentry><term> #: include/param_help_py.xml:3 msgid "<option>-h</option>,<option>--help</option>" msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:3 include/debug_levels_tools.xml:3 msgid "" "SSSD supports two representations for specifying the debug level. The " "simplest is to specify a decimal value from 0-9, which represents enabling " "that level and all lower-level debug messages. The more comprehensive option " "is to specify a hexadecimal bitmask to enable or disable specific levels " "(such as if you wish to suppress a level)." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:10 msgid "" "Please note that each SSSD service logs into its own log file. Also please " "note that enabling <quote>debug_level</quote> in the <quote>[sssd]</quote> " "section only enables debugging just for the sssd process itself, not for the " "responder or provider processes. The <quote>debug_level</quote> parameter " "should be added to all sections that you wish to produce debug logs from." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:18 msgid "" "In addition to changing the log level in the config file using the " "<quote>debug_level</quote> parameter, which is persistent, but requires SSSD " "restart, it is also possible to change the debug level on the fly using the " "<citerefentry> <refentrytitle>sss_debuglevel</refentrytitle> " "<manvolnum>8</manvolnum> </citerefentry> tool." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:29 include/debug_levels_tools.xml:10 msgid "Currently supported debug levels:" msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:32 include/debug_levels_tools.xml:13 msgid "" "<emphasis>0</emphasis>, <emphasis>0x0010</emphasis>: Fatal " "failures. Anything that would prevent SSSD from starting up or causes it to " "cease running." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:38 include/debug_levels_tools.xml:19 msgid "" "<emphasis>1</emphasis>, <emphasis>0x0020</emphasis>: Critical failures. An " "error that doesn't kill SSSD, but one that indicates that at least one major " "feature is not going to work properly." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:45 include/debug_levels_tools.xml:26 msgid "" "<emphasis>2</emphasis>, <emphasis>0x0040</emphasis>: Serious failures. An " "error announcing that a particular request or operation has failed." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:50 include/debug_levels_tools.xml:31 msgid "" "<emphasis>3</emphasis>, <emphasis>0x0080</emphasis>: Minor failures. These " "are the errors that would percolate down to cause the operation failure of " "2." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:55 include/debug_levels_tools.xml:36 msgid "<emphasis>4</emphasis>, <emphasis>0x0100</emphasis>: Configuration settings." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:59 include/debug_levels_tools.xml:40 msgid "<emphasis>5</emphasis>, <emphasis>0x0200</emphasis>: Function data." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:63 include/debug_levels_tools.xml:44 msgid "" "<emphasis>6</emphasis>, <emphasis>0x0400</emphasis>: Trace messages for " "operation functions." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:67 include/debug_levels_tools.xml:48 msgid "" "<emphasis>7</emphasis>, <emphasis>0x1000</emphasis>: Trace messages for " "internal control functions." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:72 include/debug_levels_tools.xml:53 msgid "" "<emphasis>8</emphasis>, <emphasis>0x2000</emphasis>: Contents of " "function-internal variables that may be interesting." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:77 include/debug_levels_tools.xml:58 msgid "" "<emphasis>9</emphasis>, <emphasis>0x4000</emphasis>: Extremely low-level " "tracing information." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:81 msgid "" "<emphasis>9</emphasis>, <emphasis>0x20000</emphasis>: Performance and " "statistical data, please note that due to the way requests are processed " "internally the logged execution time of a request might be longer than it " "actually was." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:88 include/debug_levels_tools.xml:62 msgid "" "<emphasis>10</emphasis>, <emphasis>0x10000</emphasis>: Even more low-level " "libldb tracing information. Almost never really required." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:93 include/debug_levels_tools.xml:67 msgid "" "To log required bitmask debug levels, simply add their numbers together as " "shown in following examples:" msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:97 include/debug_levels_tools.xml:71 msgid "" "<emphasis>Example</emphasis>: To log fatal failures, critical failures, " "serious failures and function data use 0x0270." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:101 include/debug_levels_tools.xml:75 msgid "" "<emphasis>Example</emphasis>: To log fatal failures, configuration settings, " "function data, trace messages for internal control functions use 0x1310." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:106 include/debug_levels_tools.xml:80 msgid "" "<emphasis>Note</emphasis>: The bitmask format of debug levels was introduced " "in 1.7.0." msgstr "" #. type: Content of: <listitem><para> #: include/debug_levels.xml:110 include/debug_levels_tools.xml:84 msgid "" "<emphasis>Default</emphasis>: 0x0070 (i.e. fatal, critical and serious " "failures; corresponds to setting 2 in decimal notation)" msgstr "" #. type: Content of: <refsect1><title> #: include/local.xml:2 msgid "THE LOCAL DOMAIN" msgstr "" #. type: Content of: <refsect1><para> #: include/local.xml:4 msgid "" "In order to function correctly, a domain with " "<quote>id_provider=local</quote> must be created and the SSSD must be " "running." msgstr "" #. type: Content of: <refsect1><para> #: include/local.xml:9 msgid "" "The administrator might want to use the SSSD local users instead of " "traditional UNIX users in cases where the group nesting (see <citerefentry> " "<refentrytitle>sss_groupadd</refentrytitle> <manvolnum>8</manvolnum> " "</citerefentry>) is needed. The local users are also useful for testing and " "development of the SSSD without having to deploy a full remote server. The " "<command>sss_user*</command> and <command>sss_group*</command> tools use a " "local LDB storage to store users and groups." msgstr "" #. type: Content of: <refsect1><para> #: include/seealso.xml:4 msgid "" "<citerefentry> <refentrytitle>sssd</refentrytitle><manvolnum>8</manvolnum> " "</citerefentry>, <citerefentry> " "<refentrytitle>sssd.conf</refentrytitle><manvolnum>5</manvolnum> " "</citerefentry>, <citerefentry> " "<refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum> " "</citerefentry>, <citerefentry> " "<refentrytitle>sssd-ldap-attributes</refentrytitle><manvolnum>5</manvolnum> " "</citerefentry>, <citerefentry> " "<refentrytitle>sssd-krb5</refentrytitle><manvolnum>5</manvolnum> " "</citerefentry>, <citerefentry> " "<refentrytitle>sssd-simple</refentrytitle><manvolnum>5</manvolnum> " "</citerefentry>, <citerefentry> " "<refentrytitle>sssd-ipa</refentrytitle><manvolnum>5</manvolnum> " "</citerefentry>, <citerefentry> " "<refentrytitle>sssd-ad</refentrytitle><manvolnum>5</manvolnum> " "</citerefentry>, <phrase condition=\"with_files_provider\"> <citerefentry> " "<refentrytitle>sssd-files</refentrytitle><manvolnum>5</manvolnum> " "</citerefentry>, </phrase> <phrase condition=\"with_sudo\"> <citerefentry> " "<refentrytitle>sssd-sudo</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry>, </phrase> <citerefentry> " "<refentrytitle>sssd-session-recording</refentrytitle> " "<manvolnum>5</manvolnum> </citerefentry>, <citerefentry> " "<refentrytitle>sss_cache</refentrytitle><manvolnum>8</manvolnum> " "</citerefentry>, <citerefentry> " "<refentrytitle>sss_debuglevel</refentrytitle><manvolnum>8</manvolnum> " "</citerefentry>, <citerefentry> " "<refentrytitle>sss_obfuscate</refentrytitle><manvolnum>8</manvolnum> " "</citerefentry>, <citerefentry> " "<refentrytitle>sss_seed</refentrytitle><manvolnum>8</manvolnum> " "</citerefentry>, <citerefentry> " "<refentrytitle>sssd_krb5_locator_plugin</refentrytitle><manvolnum>8</manvolnum> " "</citerefentry>, <phrase condition=\"with_ssh\"> <citerefentry> " "<refentrytitle>sss_ssh_authorizedkeys</refentrytitle> " "<manvolnum>8</manvolnum> </citerefentry>, <citerefentry> " "<refentrytitle>sss_ssh_knownhostsproxy</refentrytitle> " "<manvolnum>8</manvolnum> </citerefentry>, </phrase> <phrase " "condition=\"with_ifp\"> <citerefentry> " "<refentrytitle>sssd-ifp</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry>, </phrase> <citerefentry> " "<refentrytitle>pam_sss</refentrytitle><manvolnum>8</manvolnum> " "</citerefentry>. <citerefentry> " "<refentrytitle>sss_rpcidmapd</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry> <phrase condition=\"with_stap\"> <citerefentry> " "<refentrytitle>sssd-systemtap</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry> </phrase>" msgstr "" #. type: Content of: <listitem><para> #: include/ldap_search_bases.xml:3 msgid "" "An optional base DN, search scope and LDAP filter to restrict LDAP searches " "for this attribute type." msgstr "" #. type: Content of: <listitem><para><programlisting> #: include/ldap_search_bases.xml:9 #, no-wrap msgid "search_base[?scope?[filter][?search_base?scope?[filter]]*]\n" msgstr "" #. type: Content of: <listitem><para> #: include/ldap_search_bases.xml:7 msgid "syntax: <placeholder type=\"programlisting\" id=\"0\"/>" msgstr "" #. type: Content of: <listitem><para> #: include/ldap_search_bases.xml:13 msgid "" "The scope can be one of \"base\", \"onelevel\" or \"subtree\". The scope " "functions as specified in section 4.5.1.2 of " "http://tools.ietf.org/html/rfc4511" msgstr "" #. type: Content of: <listitem><para> #: include/ldap_search_bases.xml:23 msgid "" "For examples of this syntax, please refer to the " "<quote>ldap_search_base</quote> examples section." msgstr "" #. type: Content of: <listitem><para> #: include/ldap_search_bases.xml:31 msgid "" "Please note that specifying scope or filter is not supported for searches " "against an Active Directory Server that might yield a large number of " "results and trigger the Range Retrieval extension in the response." msgstr "" #. type: Content of: <para> #: include/autofs_restart.xml:2 msgid "" "Please note that the automounter only reads the master map on startup, so if " "any autofs-related changes are made to the sssd.conf, you typically also " "need to restart the automounter daemon after restarting the SSSD." msgstr "" #. type: Content of: <varlistentry><term> #: include/override_homedir.xml:2 msgid "override_homedir (string)" msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: include/override_homedir.xml:16 msgid "UID number" msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: include/override_homedir.xml:20 msgid "domain name" msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> #: include/override_homedir.xml:23 msgid "%f" msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: include/override_homedir.xml:24 msgid "fully qualified user name (user@domain)" msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> #: include/override_homedir.xml:27 msgid "%l" msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: include/override_homedir.xml:28 msgid "The first letter of the login name." msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: include/override_homedir.xml:32 msgid "UPN - User Principal Name (name@REALM)" msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> #: include/override_homedir.xml:35 msgid "%o" msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: include/override_homedir.xml:37 msgid "The original home directory retrieved from the identity provider." msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: include/override_homedir.xml:44 msgid "" "The original home directory retrieved from the identity provider, but in " "lower case." msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><term> #: include/override_homedir.xml:49 msgid "%H" msgstr "" #. type: Content of: <varlistentry><listitem><para><variablelist><varlistentry><listitem><para> #: include/override_homedir.xml:51 msgid "The value of configure option <emphasis>homedir_substring</emphasis>." msgstr "" #. type: Content of: <varlistentry><listitem><para> #: include/override_homedir.xml:5 msgid "" "Override the user's home directory. You can either provide an absolute value " "or a template. In the template, the following sequences are substituted: " "<placeholder type=\"variablelist\" id=\"0\"/>" msgstr "" #. type: Content of: <varlistentry><listitem><para> #: include/override_homedir.xml:63 msgid "This option can also be set per-domain." msgstr "" #. type: Content of: <varlistentry><listitem><para><programlisting> #: include/override_homedir.xml:68 #, no-wrap msgid "" "override_homedir = /home/%u\n" " " msgstr "" #. type: Content of: <varlistentry><listitem><para> #: include/override_homedir.xml:72 msgid "Default: Not set (SSSD will use the value retrieved from LDAP)" msgstr "" #. type: Content of: <varlistentry><listitem><para> #: include/override_homedir.xml:76 msgid "" "Please note, the home directory from a specific override for the user, " "either locally (see " "<citerefentry><refentrytitle>sss_override</refentrytitle> " "<manvolnum>8</manvolnum></citerefentry>) or centrally managed IPA " "id-overrides, has a higher precedence and will be used instead of the value " "given by override_homedir." msgstr "" #. type: Content of: <varlistentry><term> #: include/homedir_substring.xml:2 msgid "homedir_substring (string)" msgstr "" #. type: Content of: <varlistentry><listitem><para> #: include/homedir_substring.xml:5 msgid "" "The value of this option will be used in the expansion of the " "<emphasis>override_homedir</emphasis> option if the template contains the " "format string <emphasis>%H</emphasis>. An LDAP directory entry can directly " "contain this template so that this option can be used to expand the home " "directory path for each client machine (or operating system). It can be set " "per-domain or globally in the [nss] section. A value specified in a domain " "section will override one set in the [nss] section." msgstr "" #. type: Content of: <varlistentry><listitem><para> #: include/homedir_substring.xml:15 msgid "Default: /home" msgstr "" #. type: Content of: <refsect1><title> #: include/ad_modified_defaults.xml:2 include/ipa_modified_defaults.xml:2 msgid "MODIFIED DEFAULT OPTIONS" msgstr "" #. type: Content of: <refsect1><para> #: include/ad_modified_defaults.xml:4 msgid "" "Certain option defaults do not match their respective backend provider " "defaults, these option names and AD provider-specific defaults are listed " "below:" msgstr "" #. type: Content of: <refsect1><refsect2><title> #: include/ad_modified_defaults.xml:9 include/ipa_modified_defaults.xml:9 msgid "KRB5 Provider" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:13 include/ipa_modified_defaults.xml:13 msgid "krb5_validate = true" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:18 msgid "krb5_use_enterprise_principal = true" msgstr "" #. type: Content of: <refsect1><refsect2><title> #: include/ad_modified_defaults.xml:24 msgid "LDAP Provider" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:28 msgid "ldap_schema = ad" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:33 include/ipa_modified_defaults.xml:38 msgid "ldap_force_upper_case_realm = true" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:38 msgid "ldap_id_mapping = true" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:43 msgid "ldap_sasl_mech = GSS-SPNEGO" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:48 msgid "ldap_referrals = false" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:53 msgid "ldap_account_expire_policy = ad" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:58 include/ipa_modified_defaults.xml:58 msgid "ldap_use_tokengroups = true" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:63 msgid "ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM)" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:66 msgid "" "The AD provider looks for a different principal than the LDAP provider by " "default, because in an Active Directory environment the principals are " "divided into two groups - User Principals and Service Principals. Only User " "Principal can be used to obtain a TGT and by default, computer object's " "principal is constructed from its sAMAccountName and the AD realm. The " "well-known host/hostname@REALM principal is a Service Principal and thus " "cannot be used to get a TGT with." msgstr "" #. type: Content of: <refsect1><refsect2><title> #: include/ad_modified_defaults.xml:80 msgid "NSS configuration" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:84 msgid "fallback_homedir = /home/%d/%u" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:87 msgid "" "The AD provider automatically sets \"fallback_homedir = /home/%d/%u\" to " "provide personal home directories for users without the homeDirectory " "attribute. If your AD Domain is properly populated with Posix attributes, " "and you want to avoid this fallback behavior, you can explicitly set " "\"fallback_homedir = %o\"." msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:96 msgid "" "Note that the system typically expects a home directory in /home/%u " "folder. If you decide to use a different directory structure, some other " "parts of your system may need adjustments." msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ad_modified_defaults.xml:102 msgid "" "For example automated creation of home directories in combination with " "selinux requires selinux adjustment, otherwise the home directory will be " "created with wrong selinux context." msgstr "" #. type: Content of: <refsect1><para> #: include/ipa_modified_defaults.xml:4 msgid "" "Certain option defaults do not match their respective backend provider " "defaults, these option names and IPA provider-specific defaults are listed " "below:" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:18 msgid "krb5_use_fast = try" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:23 msgid "krb5_canonicalize = true" msgstr "" #. type: Content of: <refsect1><refsect2><title> #: include/ipa_modified_defaults.xml:29 msgid "LDAP Provider - General" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:33 msgid "ldap_schema = ipa_v1" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:43 msgid "ldap_sasl_mech = GSSAPI" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:48 msgid "ldap_sasl_minssf = 56" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:53 msgid "ldap_account_expire_policy = ipa" msgstr "" #. type: Content of: <refsect1><refsect2><title> #: include/ipa_modified_defaults.xml:64 msgid "LDAP Provider - User options" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:68 msgid "ldap_user_member_of = memberOf" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:73 msgid "ldap_user_uuid = ipaUniqueID" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:78 msgid "ldap_user_ssh_public_key = ipaSshPubKey" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:83 msgid "ldap_user_auth_type = ipaUserAuthType" msgstr "" #. type: Content of: <refsect1><refsect2><title> #: include/ipa_modified_defaults.xml:89 msgid "LDAP Provider - Group options" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:93 msgid "ldap_group_object_class = ipaUserGroup" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:98 msgid "ldap_group_object_class_alt = posixGroup" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:103 msgid "ldap_group_member = member" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:108 msgid "ldap_group_uuid = ipaUniqueID" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:113 msgid "ldap_group_objectsid = ipaNTSecurityIdentifier" msgstr "" #. type: Content of: <refsect1><refsect2><itemizedlist><listitem><para> #: include/ipa_modified_defaults.xml:118 msgid "ldap_group_external_member = ipaExternalMember" msgstr "" #. type: Content of: <variablelist><varlistentry><term> #: include/krb5_options.xml:3 msgid "krb5_auth_timeout (integer)" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:6 msgid "" "Timeout in seconds after an online authentication request or change password " "request is aborted. If possible, the authentication request is continued " "offline." msgstr "" #. type: Content of: <variablelist><varlistentry><term> #: include/krb5_options.xml:17 msgid "krb5_validate (boolean)" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:20 msgid "" "Verify with the help of krb5_keytab that the TGT obtained has not been " "spoofed. The keytab is checked for entries sequentially, and the first entry " "with a matching realm is used for validation. If no entry matches the realm, " "the last entry in the keytab is used. This process can be used to validate " "environments using cross-realm trust by placing the appropriate keytab entry " "as the last entry or the only entry in the keytab file." msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:29 msgid "Default: false (IPA and AD provider: true)" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:32 msgid "" "Please note that the ticket validation is the first step when checking the " "PAC (see 'pac_check' in the <citerefentry> " "<refentrytitle>sssd.conf</refentrytitle> <manvolnum>5</manvolnum> " "</citerefentry> manual page for details). If ticket validation is disabled " "the PAC checks will be skipped as well." msgstr "" #. type: Content of: <variablelist><varlistentry><term> #: include/krb5_options.xml:44 msgid "krb5_renewable_lifetime (string)" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:47 msgid "" "Request a renewable ticket with a total lifetime, given as an integer " "immediately followed by a time unit:" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:52 include/krb5_options.xml:86 #: include/krb5_options.xml:123 msgid "<emphasis>s</emphasis> for seconds" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:55 include/krb5_options.xml:89 #: include/krb5_options.xml:126 msgid "<emphasis>m</emphasis> for minutes" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:58 include/krb5_options.xml:92 #: include/krb5_options.xml:129 msgid "<emphasis>h</emphasis> for hours" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:61 include/krb5_options.xml:95 #: include/krb5_options.xml:132 msgid "<emphasis>d</emphasis> for days." msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:64 include/krb5_options.xml:135 msgid "If there is no unit given, <emphasis>s</emphasis> is assumed." msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:68 include/krb5_options.xml:139 msgid "" "NOTE: It is not possible to mix units. To set the renewable lifetime to one " "and a half hours, use '90m' instead of '1h30m'." msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:73 msgid "Default: not set, i.e. the TGT is not renewable" msgstr "" #. type: Content of: <variablelist><varlistentry><term> #: include/krb5_options.xml:79 msgid "krb5_lifetime (string)" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:82 msgid "" "Request ticket with a lifetime, given as an integer immediately followed by " "a time unit:" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:98 msgid "If there is no unit given <emphasis>s</emphasis> is assumed." msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:102 msgid "" "NOTE: It is not possible to mix units. To set the lifetime to one and a " "half hours please use '90m' instead of '1h30m'." msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:107 msgid "Default: not set, i.e. the default ticket lifetime configured on the KDC." msgstr "" #. type: Content of: <variablelist><varlistentry><term> #: include/krb5_options.xml:114 msgid "krb5_renew_interval (string)" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:117 msgid "" "The time in seconds between two checks if the TGT should be renewed. TGTs " "are renewed if about half of their lifetime is exceeded, given as an integer " "immediately followed by a time unit:" msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:144 msgid "If this option is not set or is 0 the automatic renewal is disabled." msgstr "" #. type: Content of: <variablelist><varlistentry><listitem><para> #: include/krb5_options.xml:157 msgid "" "Specifies if the host and user principal should be canonicalized. This " "feature is available with MIT Kerberos 1.7 and later versions." msgstr ""