1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
|
import sys
import gettext
PACKAGE = 'sss_daemon'
LOCALEDIR = '/usr/share/locale'
translation = gettext.translation(PACKAGE, LOCALEDIR, fallback=True)
if sys.version_info[0] > 2:
_ = translation.gettext
else:
_ = translation.ugettext
class SSSDOptions(object):
def __init__(self):
pass
option_strings = {
# [service]
'debug': _('Set the verbosity of the debug logging'),
'debug_level': _('Set the verbosity of the debug logging'),
'debug_timestamps': _('Include timestamps in debug logs'),
'debug_microseconds': _('Include microseconds in timestamps in debug logs'),
'debug_backtrace_enabled': _('Enable/disable debug backtrace'),
'timeout': _('Watchdog timeout before restarting service'),
'command': _('Command to start service'),
'reconnection_retries': _('Number of times to attempt connection to Data Providers'),
'fd_limit': _('The number of file descriptors that may be opened by this responder'),
'client_idle_timeout': _('Idle time before automatic disconnection of a client'),
'responder_idle_timeout': _('Idle time before automatic shutdown of the responder'),
'cache_first': _('Always query all the caches before querying the Data Providers'),
'offline_timeout': _('When SSSD switches to offline mode the amount of time before it tries to go back online '
'will increase based upon the time spent disconnected. This value is in seconds and '
'calculated by the following: offline_timeout + random_offset.'),
# [sssd]
'config_file_version': _(
'Indicates what is the syntax of the config file. SSSD 0.6.0 and later use version 2.'),
'services': _('SSSD Services to start'),
'domains': _('SSSD Domains to start'),
're_expression': _('Regex to parse username and domain'),
'full_name_format': _('Printf-compatible format for displaying fully-qualified names'),
'krb5_rcache_dir': _('Directory on the filesystem where SSSD should store Kerberos replay cache files.'),
'default_domain_suffix': _('Domain to add to names without a domain component.'),
'user': _('The user to drop privileges to'),
'certificate_verification': _('Tune certificate verification'),
'override_space': _('All spaces in group or user names will be replaced with this character'),
'disable_netlink': _('Tune sssd to honor or ignore netlink state changes'),
'enable_files_domain': _('Enable or disable the implicit files domain'),
'domain_resolution_order': _('A specific order of the domains to be looked up'),
'monitor_resolv_conf': _('Controls if SSSD should monitor the state of resolv.conf to identify when it needs '
'to update its internal DNS resolver.'),
'try_inotify': _('SSSD monitors the state of resolv.conf to identify when it needs to update its internal DNS '
'resolver. By default, we will attempt to use inotify for this, and will fall back to '
'polling resolv.conf every five seconds if inotify cannot be used.'),
'implicit_pac_responder': _('Run PAC responder automatically for AD and IPA provider'),
'core_dumpable': _('Enable or disable core dumps for all SSSD processes.'),
'passkey_verification': _('Tune passkey verification behavior'),
# [nss]
'enum_cache_timeout': _('Enumeration cache timeout length (seconds)'),
'entry_cache_no_wait_timeout': _('Entry cache background update timeout length (seconds)'),
'entry_negative_timeout': _('Negative cache timeout length (seconds)'),
'local_negative_timeout': _('Files negative cache timeout length (seconds)'),
'filter_users': _('Users that SSSD should explicitly ignore'),
'filter_groups': _('Groups that SSSD should explicitly ignore'),
'filter_users_in_groups': _('Should filtered users appear in groups'),
'pwfield': _('The value of the password field the NSS provider should return'),
'override_homedir': _('Override homedir value from the identity provider with this value'),
'fallback_homedir': _('Substitute empty homedir value from the identity provider with this value'),
'override_shell': _('Override shell value from the identity provider with this value'),
'allowed_shells': _('The list of shells users are allowed to log in with'),
'vetoed_shells': _('The list of shells that will be vetoed, and replaced with the fallback shell'),
'shell_fallback': _('If a shell stored in central directory is allowed but not available, use this fallback'),
'default_shell': _('Shell to use if the provider does not list one'),
'memcache_timeout': _('How long will be in-memory cache records valid'),
'memcache_size_passwd': _(
'Size (in megabytes) of the data table allocated inside fast in-memory cache for passwd requests'),
'memcache_size_group': _(
'Size (in megabytes) of the data table allocated inside fast in-memory cache for group requests'),
'memcache_size_initgroups': _(
'Size (in megabytes) of the data table allocated inside fast in-memory cache for initgroups requests'),
'homedir_substring': _('The value of this option will be used in the expansion of the override_homedir option '
'if the template contains the format string %H.'),
'get_domains_timeout': _('Specifies time in seconds for which the list of subdomains will be considered '
'valid.'),
'entry_cache_nowait_percentage': _('The entry cache can be set to automatically update entries in the '
'background if they are requested beyond a percentage of the '
'entry_cache_timeout value for the domain.'),
# [pam]
'offline_credentials_expiration': _('How long to allow cached logins between online logins (days)'),
'offline_failed_login_attempts': _('How many failed logins attempts are allowed when offline'),
'offline_failed_login_delay': _(
'How long (minutes) to deny login after offline_failed_login_attempts has been reached'),
'pam_verbosity': _('What kind of messages are displayed to the user during authentication'),
'pam_response_filter': _('Filter PAM responses sent to the pam_sss'),
'pam_id_timeout': _('How many seconds to keep identity information cached for PAM requests'),
'pam_pwd_expiration_warning': _('How many days before password expiration a warning should be displayed'),
'pam_trusted_users': _('List of trusted uids or user\'s name'),
'pam_public_domains': _('List of domains accessible even for untrusted users.'),
'pam_account_expired_message': _('Message printed when user account is expired.'),
'pam_account_locked_message': _('Message printed when user account is locked.'),
'pam_cert_auth': _('Allow certificate based/Smartcard authentication.'),
'pam_cert_db_path': _('Path to certificate database with PKCS#11 modules.'),
'pam_cert_verification': _('Tune certificate verification for PAM authentication.'),
'p11_child_timeout': _('How many seconds will pam_sss wait for p11_child to finish'),
'pam_app_services': _('Which PAM services are permitted to contact application domains'),
'pam_p11_allowed_services': _('Allowed services for using smartcards'),
'p11_wait_for_card_timeout': _('Additional timeout to wait for a card if requested'),
'p11_uri': _('PKCS#11 URI to restrict the selection of devices for Smartcard authentication'),
'pam_initgroups_scheme': _('When shall the PAM responder force an initgroups request'),
'pam_gssapi_services': _('List of PAM services that are allowed to authenticate with GSSAPI.'),
'pam_gssapi_check_upn': _('Whether to match authenticated UPN with target user'),
'pam_gssapi_indicators_map': _('List of pairs <PAM service>:<authentication indicator> that '
'must be enforced for PAM access with GSSAPI authentication'),
'pam_passkey_auth': _('Allow passkey device authentication.'),
'passkey_child_timeout': _('How many seconds will pam_sss wait for passkey_child to finish'),
'passkey_debug_libfido2': _('Enable debugging in the libfido2 library'),
# [sudo]
'sudo_timed': _('Whether to evaluate the time-based attributes in sudo rules'),
'sudo_inverse_order': _('If true, SSSD will switch back to lower-wins ordering logic'),
'sudo_threshold': _('Maximum number of rules that can be refreshed at once. If this is exceeded, full refresh '
'is performed.'),
# [autofs]
'autofs_negative_timeout': _('Negative cache timeout length (seconds)'),
# [ssh]
'ssh_hash_known_hosts': _('Whether to hash host names and addresses in the known_hosts file'),
'ssh_known_hosts_timeout': _('How many seconds to keep a host in the known_hosts file after its host keys '
'were requested'),
'ca_db': _('Path to storage of trusted CA certificates'),
'ssh_use_certificate_keys': _('Allow to generate ssh-keys from certificates'),
'ssh_use_certificate_matching_rules': _('Use the following matching rules to filter the certificates for '
'ssh-key generation'),
# [pac]
'allowed_uids': _('List of UIDs or user names allowed to access the PAC responder'),
'pac_lifetime': _('How long the PAC data is considered valid'),
'pac_check': _('Validate the PAC'),
# [ifp]
'user_attributes': _('List of user attributes the InfoPipe is allowed to publish'),
# [session_recording]
'scope': _('One of the following strings specifying the scope of session recording: none - No users are '
'recorded. some - Users/groups specified by users and groups options are recorded. all - All users '
'are recorded.'),
'users': _('A comma-separated list of users which should have session recording enabled. Matches user names '
'as returned by NSS. I.e. after the possible space replacement, case changes, etc.'),
'groups': _('A comma-separated list of groups, members of which should have session recording enabled. '
'Matches group names as returned by NSS. I.e. after the possible space replacement, case changes, '
'etc.'),
'exclude_users': _('A comma-separated list of users to be excluded from recording, only when scope=all'),
'exclude_groups': _('A comma-separated list of groups, members of which should be excluded from recording, '
' only when scope=all. '),
# [provider]
'id_provider': _('Identity provider'),
'auth_provider': _('Authentication provider'),
'access_provider': _('Access control provider'),
'chpass_provider': _('Password change provider'),
'sudo_provider': _('SUDO provider'),
'autofs_provider': _('Autofs provider'),
'hostid_provider': _('Host identity provider'),
'selinux_provider': _('SELinux provider'),
'session_provider': _('Session management provider'),
'resolver_provider': _('Resolver provider'),
# [domain]
'domain_type': _('Whether the domain is usable by the OS or by applications'),
'enabled': _('Enable or disable the domain'),
'min_id': _('Minimum user ID'),
'max_id': _('Maximum user ID'),
'enumerate': _('Enable enumerating all users/groups'),
'cache_credentials': _('Cache credentials for offline login'),
'use_fully_qualified_names': _('Display users/groups in fully-qualified form'),
'ignore_group_members': _('Don\'t include group members in group lookups'),
'entry_cache_timeout': _('Entry cache timeout length (seconds)'),
'lookup_family_order': _('Restrict or prefer a specific address family when performing DNS lookups'),
'account_cache_expiration': _('How long to keep cached entries after last successful login (days)'),
'dns_resolver_server_timeout': _('How long should SSSD talk to single DNS server before trying next server ('
'miliseconds)'),
'dns_resolver_op_timeout': _('How long should keep trying to resolve single DNS query (seconds)'),
'dns_resolver_timeout': _('How long to wait for replies from DNS when resolving servers (seconds)'),
'dns_discovery_domain': _('The domain part of service discovery DNS query'),
'failover_primary_timeout': _('How often SSSD tries to reconnect to the primary server after a successful '
'connection to the backup server.'),
'override_gid': _('Override GID value from the identity provider with this value'),
'case_sensitive': _('Treat usernames as case sensitive'),
'entry_cache_user_timeout': _('Entry cache timeout length (seconds)'),
'entry_cache_group_timeout': _('Entry cache timeout length (seconds)'),
'entry_cache_netgroup_timeout': _('Entry cache timeout length (seconds)'),
'entry_cache_service_timeout': _('Entry cache timeout length (seconds)'),
'entry_cache_autofs_timeout': _('Entry cache timeout length (seconds)'),
'entry_cache_sudo_timeout': _('Entry cache timeout length (seconds)'),
'entry_cache_resolver_timeout': _('Entry cache timeout length (seconds)'),
'refresh_expired_interval': _('How often should expired entries be refreshed in background'),
'refresh_expired_interval_offset': _("Maximum period deviation when refreshing expired entries in background"),
'dyndns_update': _("Whether to automatically update the client's DNS entry"),
'dyndns_ttl': _("The TTL to apply to the client's DNS entry after updating it"),
'dyndns_iface': _("The interface whose IP should be used for dynamic DNS updates"),
'dyndns_refresh_interval': _("How often to periodically update the client's DNS entry"),
'dyndns_refresh_interval_offset': _("Maximum period deviation when updating the client's DNS entry"),
'dyndns_update_ptr': _("Whether the provider should explicitly update the PTR record as well"),
'dyndns_force_tcp': _("Whether the nsupdate utility should default to using TCP"),
'dyndns_auth': _("What kind of authentication should be used to perform the DNS update"),
'dyndns_server': _("Override the DNS server used to perform the DNS update"),
'subdomain_enumerate': _('Control enumeration of trusted domains'),
'subdomain_refresh_interval': _('How often should subdomains list be refreshed'),
'subdomain_refresh_interval_offset': _('Maximum period deviation when refreshing the subdomain list'),
'subdomain_inherit': _('List of options that should be inherited into a subdomain'),
'subdomain_homedir': _('Default subdomain homedir value'),
'cached_auth_timeout': _('How long can cached credentials be used for cached authentication'),
'auto_private_groups': _('Whether to automatically create private groups for users'),
'pwd_expiration_warning': _('Display a warning N days before the password expires.'),
'realmd_tags': _('Various tags stored by the realmd configuration service for this domain.'),
'subdomains_provider': _('The provider which should handle fetching of subdomains. This value should be '
'always the same as id_provider.'),
'entry_cache_ssh_host_timeout': _('How many seconds to keep a host ssh key after refresh. IE how long to '
'cache the host key for.'),
'cache_credentials_minimal_first_factor_length': _('If 2-Factor-Authentication (2FA) is used and credentials '
'should be saved this value determines the minimal length '
'the first authentication factor (long term password) must '
'have to be saved as SHA512 hash into the cache.'),
'local_auth_policy': _('Local authentication methods policy '),
# [provider/ipa]
'ipa_domain': _('IPA domain'),
'ipa_server': _('IPA server address'),
'ipa_backup_server': _('Address of backup IPA server'),
'ipa_hostname': _('IPA client hostname'),
'ipa_dyndns_update': _("Whether to automatically update the client's DNS entry in FreeIPA"),
'ipa_dyndns_ttl': _("The TTL to apply to the client's DNS entry after updating it"),
'ipa_dyndns_iface': _("The interface whose IP should be used for dynamic DNS updates"),
'ipa_hbac_search_base': _("Search base for HBAC related objects"),
'ipa_hbac_refresh': _("The amount of time between lookups of the HBAC rules against the IPA server"),
'ipa_selinux_refresh': _("The amount of time in seconds between lookups of the SELinux maps against the IPA "
"server"),
'ipa_hbac_support_srchost': _("If set to false, host argument given by PAM will be ignored"),
'ipa_automount_location': _("The automounter location this IPA client is using"),
'ipa_master_domain_search_base': _("Search base for object containing info about IPA domain"),
'ipa_ranges_search_base': _("Search base for objects containing info about ID ranges"),
'ipa_enable_dns_sites': _("Enable DNS sites - location based service discovery"),
'ipa_views_search_base': _("Search base for view containers"),
'ipa_view_class': _("Objectclass for view containers"),
'ipa_view_name': _("Attribute with the name of the view"),
'ipa_override_object_class': _("Objectclass for override objects"),
'ipa_anchor_uuid': _("Attribute with the reference to the original object"),
'ipa_user_override_object_class': _("Objectclass for user override objects"),
'ipa_group_override_object_class': _("Objectclass for group override objects"),
'ipa_deskprofile_search_base': _("Search base for Desktop Profile related objects"),
'ipa_deskprofile_refresh': _("The amount of time in seconds between lookups of the Desktop Profile rules "
"against the IPA server"),
'ipa_deskprofile_request_interval': _("The amount of time in minutes between lookups of Desktop Profiles "
"rules against the IPA server when the last request did not find any "
"rule"),
'ipa_subid_ranges_search_base': _("Search base for SUBID ranges"),
'ipa_access_order': _("Which rules should be used to evaluate access control"),
'ipa_host_fqdn': _('The LDAP attribute that contains FQDN of the host.'),
'ipa_host_object_class': _('The object class of a host entry in LDAP.'),
'ipa_host_search_base': _('Use the given string as search base for host objects.'),
'ipa_host_ssh_public_key': _('The LDAP attribute that contains the host\'s SSH public keys.'),
'ipa_netgroup_domain': _('The LDAP attribute that contains NIS domain name of the netgroup.'),
'ipa_netgroup_member': _('The LDAP attribute that contains the names of the netgroup\'s members.'),
'ipa_netgroup_member_ext_host': _('The LDAP attribute that lists FQDNs of hosts and host groups that are '
'members of the netgroup.'),
'ipa_netgroup_member_host': _('The LDAP attribute that lists hosts and host groups that are direct members of '
'the netgroup.'),
'ipa_netgroup_member_of': _('The LDAP attribute that lists netgroup\'s memberships.'),
'ipa_netgroup_member_user': _('The LDAP attribute that lists system users and groups that are direct members '
'of the netgroup.'),
'ipa_netgroup_name': _('The LDAP attribute that corresponds to the netgroup name.'),
'ipa_netgroup_object_class': _('The object class of a netgroup entry in LDAP.'),
'ipa_netgroup_uuid': _('The LDAP attribute that contains the UUID/GUID of an LDAP netgroup object.'),
'ipa_selinux_usermap_enabled': _('The LDAP attribute that contains whether or not is user map enabled for '
'usage.'),
'ipa_selinux_usermap_host_category': _('The LDAP attribute that contains host category such as \'all\'.'),
'ipa_selinux_usermap_member_host': _('The LDAP attribute that contains all hosts / hostgroups this rule match '
'against.'),
'ipa_selinux_usermap_member_user': _('The LDAP attribute that contains all users / groups this rule match '
'against.'),
'ipa_selinux_usermap_name': _('The LDAP attribute that contains the name of SELinux usermap.'),
'ipa_selinux_usermap_object_class': _('The object class of a host entry in LDAP.'),
'ipa_selinux_usermap_see_also': _('The LDAP attribute that contains DN of HBAC rule which can be used for '
'matching instead of memberUser and memberHost.'),
'ipa_selinux_usermap_selinux_user': _('The LDAP attribute that contains SELinux user string itself.'),
'ipa_selinux_usermap_user_category': _('The LDAP attribute that contains user category such as \'all\'.'),
'ipa_selinux_usermap_uuid': _('The LDAP attribute that contains unique ID of the user map.'),
'ipa_server_mode': _('The option denotes that the SSSD is running on IPA server and should perform lookups of '
'users and groups from trusted domains differently.'),
'ipa_subdomains_search_base': _('Use the given string as search base for trusted domains.'),
# [provider/ad]
'ad_domain': _('Active Directory domain'),
'ad_enabled_domains': _('Enabled Active Directory domains'),
'ad_server': _('Active Directory server address'),
'ad_backup_server': _('Active Directory backup server address'),
'ad_hostname': _('Active Directory client hostname'),
'ad_enable_dns_sites': _('Enable DNS sites - location based service discovery'),
'ad_access_filter': _('LDAP filter to determine access privileges'),
'ad_enable_gc': _('Whether to use the Global Catalog for lookups'),
'ad_gpo_access_control': _('Operation mode for GPO-based access control'),
'ad_gpo_cache_timeout': _("The amount of time between lookups of the GPO policy files against the AD server"),
'ad_gpo_map_interactive': _('PAM service names that map to the GPO (Deny)InteractiveLogonRight '
'policy settings'),
'ad_gpo_map_remote_interactive': _('PAM service names that map to the GPO (Deny)RemoteInteractiveLogonRight '
'policy settings'),
'ad_gpo_map_network': _('PAM service names that map to the GPO (Deny)NetworkLogonRight policy settings'),
'ad_gpo_map_batch': _('PAM service names that map to the GPO (Deny)BatchLogonRight policy settings'),
'ad_gpo_map_service': _('PAM service names that map to the GPO (Deny)ServiceLogonRight policy settings'),
'ad_gpo_map_permit': _('PAM service names for which GPO-based access is always granted'),
'ad_gpo_map_deny': _('PAM service names for which GPO-based access is always denied'),
'ad_gpo_default_right': _('Default logon right (or permit/deny) to use for unmapped PAM service names'),
'ad_site': _('a particular site to be used by the client'),
'ad_maximum_machine_account_password_age': _('Maximum age in days before the machine account password should '
'be renewed'),
'ad_machine_account_password_renewal_opts': _('Option for tuning the machine account renewal task'),
'ad_update_samba_machine_account_password': _('Whether to update the machine account password in the Samba '
'database'),
'ad_use_ldaps': _('Use LDAPS port for LDAP and Global Catalog requests'),
'ad_allow_remote_domain_local_groups': _('Do not filter domain local groups from other domains'),
# [provider/krb5]
'krb5_kdcip': _('Kerberos server address'),
'krb5_server': _('Kerberos server address'),
'krb5_backup_server': _('Kerberos backup server address'),
'krb5_realm': _('Kerberos realm'),
'krb5_auth_timeout': _('Authentication timeout'),
'krb5_use_kdcinfo': _('Whether to create kdcinfo files'),
'krb5_confd_path': _('Where to drop krb5 config snippets'),
# [provider/krb5/auth]
'krb5_ccachedir': _('Directory to store credential caches'),
'krb5_ccname_template': _("Location of the user's credential cache"),
'krb5_keytab': _("Location of the keytab to validate credentials"),
'krb5_validate': _("Enable credential validation"),
'krb5_store_password_if_offline': _("Store password if offline for later online authentication"),
'krb5_renewable_lifetime': _("Renewable lifetime of the TGT"),
'krb5_lifetime': _("Lifetime of the TGT"),
'krb5_renew_interval': _("Time between two checks for renewal"),
'krb5_use_fast': _("Enables FAST"),
'krb5_fast_principal': _("Selects the principal to use for FAST"),
'krb5_fast_use_anonymous_pkinit': _("Use anonymous PKINIT to request FAST credentials"),
'krb5_canonicalize': _("Enables principal canonicalization"),
'krb5_use_enterprise_principal': _("Enables enterprise principals"),
'krb5_use_subdomain_realm': _("Enables using of subdomains realms for authentication"),
'krb5_map_user': _('A mapping from user names to Kerberos principal names'),
# [provider/krb5/chpass]
'krb5_kpasswd': _('Server where the change password service is running if not on the KDC'),
'krb5_backup_kpasswd': _('Server where the change password service is running if not on the KDC'),
# [provider/ldap]
'ldap_uri': _('ldap_uri, The URI of the LDAP server'),
'ldap_backup_uri': _('ldap_backup_uri, The URI of the LDAP server'),
'ldap_search_base': _('The default base DN'),
'ldap_schema': _('The Schema Type in use on the LDAP server, rfc2307'),
'ldap_pwmodify_mode': _('Mode used to change user password'),
'ldap_default_bind_dn': _('The default bind DN'),
'ldap_default_authtok_type': _('The type of the authentication token of the default bind DN'),
'ldap_default_authtok': _('The authentication token of the default bind DN'),
'ldap_network_timeout': _('Length of time to attempt connection'),
'ldap_opt_timeout': _('Length of time to attempt synchronous LDAP operations'),
'ldap_offline_timeout': _('Length of time between attempts to reconnect while offline'),
'ldap_force_upper_case_realm': _('Use only the upper case for realm names'),
'ldap_tls_cacert': _('File that contains CA certificates'),
'ldap_tls_cacertdir': _('Path to CA certificate directory'),
'ldap_tls_cert': _('File that contains the client certificate'),
'ldap_tls_key': _('File that contains the client key'),
'ldap_tls_cipher_suite': _('List of possible ciphers suites'),
'ldap_tls_reqcert': _('Require TLS certificate verification'),
'ldap_sasl_mech': _('Specify the sasl mechanism to use'),
'ldap_sasl_authid': _('Specify the sasl authorization id to use'),
'ldap_sasl_realm': _('Specify the sasl authorization realm to use'),
'ldap_sasl_minssf': _('Specify the minimal SSF for LDAP sasl authorization'),
'ldap_sasl_maxssf': _('Specify the maximal SSF for LDAP sasl authorization'),
'ldap_krb5_keytab': _('Kerberos service keytab'),
'ldap_krb5_init_creds': _('Use Kerberos auth for LDAP connection'),
'ldap_referrals': _('Follow LDAP referrals'),
'ldap_krb5_ticket_lifetime': _('Lifetime of TGT for LDAP connection'),
'ldap_deref': _('How to dereference aliases'),
'ldap_dns_service_name': _('Service name for DNS service lookups'),
'ldap_page_size': _('The number of records to retrieve in a single LDAP query'),
'ldap_deref_threshold': _('The number of members that must be missing to trigger a full deref'),
'ldap_ignore_unreadable_references': _('Ignore unreadable LDAP references'),
'ldap_sasl_canonicalize': _('Whether the LDAP library should perform a reverse lookup to canonicalize the '
'host name during a SASL bind'),
'ldap_rfc2307_fallback_to_local_users': _('Allows to retain local users as members of an LDAP group for '
'servers that use the RFC2307 schema.'),
'ldap_entry_usn': _('entryUSN attribute'),
'ldap_rootdse_last_usn': _('lastUSN attribute'),
'ldap_connection_expiration_timeout': _('How long to retain a connection to the LDAP server before '
'disconnecting'),
'ldap_disable_paging': _('Disable the LDAP paging control'),
'ldap_disable_range_retrieval': _('Disable Active Directory range retrieval'),
# [provider/ldap/id]
'ldap_search_timeout': _('Length of time to wait for a search request'),
'ldap_enumeration_search_timeout': _('Length of time to wait for a enumeration request'),
'ldap_enumeration_refresh_timeout': _('Length of time between enumeration updates'),
'ldap_enumeration_refresh_offset': _('Maximum period deviation between enumeration updates'),
'ldap_purge_cache_timeout': _('Length of time between cache cleanups'),
'ldap_purge_cache_offset': _('Maximum time deviation between cache cleanups'),
'ldap_id_use_start_tls': _('Require TLS for ID lookups'),
'ldap_id_mapping': _('Use ID-mapping of objectSID instead of pre-set IDs'),
'ldap_user_search_base': _('Base DN for user lookups'),
'ldap_user_search_scope': _('Scope of user lookups'),
'ldap_user_search_filter': _('Filter for user lookups'),
'ldap_user_object_class': _('Objectclass for users'),
'ldap_user_name': _('Username attribute'),
'ldap_user_uid_number': _('UID attribute'),
'ldap_user_gid_number': _('Primary GID attribute'),
'ldap_user_gecos': _('GECOS attribute'),
'ldap_user_home_directory': _('Home directory attribute'),
'ldap_user_shell': _('Shell attribute'),
'ldap_user_uuid': _('UUID attribute'),
'ldap_user_objectsid': _("objectSID attribute"),
'ldap_user_primary_group': _('Active Directory primary group attribute for ID-mapping'),
'ldap_user_principal': _('User principal attribute (for Kerberos)'),
'ldap_user_fullname': _('Full Name'),
'ldap_user_member_of': _('memberOf attribute'),
'ldap_user_modify_timestamp': _('Modification time attribute'),
'ldap_user_shadow_last_change': _('shadowLastChange attribute'),
'ldap_user_shadow_min': _('shadowMin attribute'),
'ldap_user_shadow_max': _('shadowMax attribute'),
'ldap_user_shadow_warning': _('shadowWarning attribute'),
'ldap_user_shadow_inactive': _('shadowInactive attribute'),
'ldap_user_shadow_expire': _('shadowExpire attribute'),
'ldap_user_shadow_flag': _('shadowFlag attribute'),
'ldap_user_authorized_service': _('Attribute listing authorized PAM services'),
'ldap_user_authorized_host': _('Attribute listing authorized server hosts'),
'ldap_user_authorized_rhost': _('Attribute listing authorized server rhosts'),
'ldap_user_krb_last_pwd_change': _('krbLastPwdChange attribute'),
'ldap_user_krb_password_expiration': _('krbPasswordExpiration attribute'),
'ldap_pwd_attribute': _('Attribute indicating that server side password policies are active'),
'ldap_user_ad_account_expires': _('accountExpires attribute of AD'),
'ldap_user_ad_user_account_control': _('userAccountControl attribute of AD'),
'ldap_ns_account_lock': _('nsAccountLock attribute'),
'ldap_user_nds_login_disabled': _('loginDisabled attribute of NDS'),
'ldap_user_nds_login_expiration_time': _('loginExpirationTime attribute of NDS'),
'ldap_user_nds_login_allowed_time_map': _('loginAllowedTimeMap attribute of NDS'),
'ldap_user_ssh_public_key': _('SSH public key attribute'),
'ldap_user_auth_type': _('attribute listing allowed authentication types for a user'),
'ldap_user_certificate': _('attribute containing the X509 certificate of the user'),
'ldap_user_email': _('attribute containing the email address of the user'),
'ldap_user_passkey': _('attribute containing the passkey mapping data of the user'),
'ldap_user_extra_attrs': _('A list of extra attributes to download along with the user entry'),
'ldap_group_search_base': _('Base DN for group lookups'),
'ldap_group_object_class': _('Objectclass for groups'),
'ldap_group_name': _('Group name'),
'ldap_group_pwd': _('Group password'),
'ldap_group_gid_number': _('GID attribute'),
'ldap_group_member': _('Group member attribute'),
'ldap_group_uuid': _('Group UUID attribute'),
'ldap_group_objectsid': _("objectSID attribute"),
'ldap_group_modify_timestamp': _('Modification time attribute for groups'),
'ldap_group_type': _('Type of the group and other flags'),
'ldap_group_external_member': _('The LDAP group external member attribute'),
'ldap_group_nesting_level': _('Maximum nesting level SSSD will follow'),
'ldap_group_search_filter': _('Filter for group lookups'),
'ldap_group_search_scope': _('Scope of group lookups'),
'ldap_netgroup_search_base': _('Base DN for netgroup lookups'),
'ldap_netgroup_object_class': _('Objectclass for netgroups'),
'ldap_netgroup_name': _('Netgroup name'),
'ldap_netgroup_member': _('Netgroups members attribute'),
'ldap_netgroup_triple': _('Netgroup triple attribute'),
'ldap_netgroup_modify_timestamp': _('Modification time attribute for netgroups'),
'ldap_service_search_base': _('Base DN for service lookups'),
'ldap_service_object_class': _('Objectclass for services'),
'ldap_service_name': _('Service name attribute'),
'ldap_service_port': _('Service port attribute'),
'ldap_service_proto': _('Service protocol attribute'),
'ldap_idmap_range_min': _('Lower bound for ID-mapping'),
'ldap_idmap_range_max': _('Upper bound for ID-mapping'),
'ldap_idmap_range_size': _('Number of IDs for each slice when ID-mapping'),
'ldap_idmap_autorid_compat': _('Use autorid-compatible algorithm for ID-mapping'),
'ldap_idmap_default_domain': _('Name of the default domain for ID-mapping'),
'ldap_idmap_default_domain_sid': _('SID of the default domain for ID-mapping'),
'ldap_idmap_helper_table_size': _('Number of secondary slices'),
'ldap_use_tokengroups': _('Whether to use Token-Groups'),
'ldap_min_id': _('Set lower boundary for allowed IDs from the LDAP server'),
'ldap_max_id': _('Set upper boundary for allowed IDs from the LDAP server'),
'ldap_pwdlockout_dn': _('DN for ppolicy queries'),
'wildcard_limit': _('How many maximum entries to fetch during a wildcard request'),
'ldap_library_debug_level': _('Set libldap debug level'),
# [provider/ldap/auth]
'ldap_pwd_policy': _('Policy to evaluate the password expiration'),
# [provider/ldap/access]
'ldap_access_filter': _('LDAP filter to determine access privileges'),
'ldap_account_expire_policy': _('Which attributes shall be used to evaluate if an account is expired'),
'ldap_access_order': _('Which rules should be used to evaluate access control'),
# [provider/ldap/chpass]
'ldap_chpass_uri': _('URI of an LDAP server where password changes are allowed'),
'ldap_chpass_backup_uri': _('URI of a backup LDAP server where password changes are allowed'),
'ldap_chpass_dns_service_name': _('DNS service name for LDAP password change server'),
'ldap_chpass_update_last_change': _('Whether to update the ldap_user_shadow_last_change attribute after a '
'password change'),
# [provider/ldap/sudo]
'ldap_sudo_search_base': _('Base DN for sudo rules lookups'),
'ldap_sudo_full_refresh_interval': _('Automatic full refresh period'),
'ldap_sudo_smart_refresh_interval': _('Automatic smart refresh period'),
'ldap_sudo_random_offset': _('Smart and full refresh random offset'),
'ldap_sudo_use_host_filter': _('Whether to filter rules by hostname, IP addresses and network'),
'ldap_sudo_hostnames': _('Hostnames and/or fully qualified domain names of this machine to filter sudo rules'),
'ldap_sudo_ip': _('IPv4 or IPv6 addresses or network of this machine to filter sudo rules'),
'ldap_sudo_include_netgroups': _('Whether to include rules that contains netgroup in host attribute'),
'ldap_sudo_include_regexp': _('Whether to include rules that contains regular expression in host attribute'),
'ldap_sudorule_object_class': _('Object class for sudo rules'),
'ldap_sudorule_object_class_attr': _('Name of attribute that is used as object class for sudo rules'),
'ldap_sudorule_name': _('Sudo rule name'),
'ldap_sudorule_command': _('Sudo rule command attribute'),
'ldap_sudorule_host': _('Sudo rule host attribute'),
'ldap_sudorule_user': _('Sudo rule user attribute'),
'ldap_sudorule_option': _('Sudo rule option attribute'),
'ldap_sudorule_runas': _('Sudo rule runas attribute'),
'ldap_sudorule_runasuser': _('Sudo rule runasuser attribute'),
'ldap_sudorule_runasgroup': _('Sudo rule runasgroup attribute'),
'ldap_sudorule_notbefore': _('Sudo rule notbefore attribute'),
'ldap_sudorule_notafter': _('Sudo rule notafter attribute'),
'ldap_sudorule_order': _('Sudo rule order attribute'),
# [provider/ldap/autofs]
'ldap_autofs_map_object_class': _('Object class for automounter maps'),
'ldap_autofs_map_name': _('Automounter map name attribute'),
'ldap_autofs_entry_object_class': _('Object class for automounter map entries'),
'ldap_autofs_entry_key': _('Automounter map entry key attribute'),
'ldap_autofs_entry_value': _('Automounter map entry value attribute'),
'ldap_autofs_search_base': _('Base DN for automounter map lookups'),
'ldap_autofs_map_master_name': _('The name of the automount master map in LDAP.'),
# [provider/ldap/resolver]
'ldap_iphost_search_base': _('Base DN for IP hosts lookups'),
'ldap_iphost_object_class': _('Object class for IP hosts'),
'ldap_iphost_name': _('IP host name attribute'),
'ldap_iphost_number': _('IP host number (address) attribute'),
'ldap_iphost_entry_usn': _('IP host entryUSN attribute'),
'ldap_ipnetwork_search_base': _('Base DN for IP networks lookups'),
'ldap_ipnetwork_object_class': _('Object class for IP networks'),
'ldap_ipnetwork_name': _('IP network name attribute'),
'ldap_ipnetwork_number': _('IP network number (address) attribute'),
'ldap_ipnetwork_entry_usn': _('IP network entryUSN attribute'),
# [provider/simple/access]
'simple_allow_users': _('Comma separated list of allowed users'),
'simple_deny_users': _('Comma separated list of prohibited users'),
'simple_allow_groups': _('Comma separated list of groups that are allowed to log in. This applies only to '
'groups within this SSSD domain. Local groups are not evaluated.'),
'simple_deny_groups': _('Comma separated list of groups that are explicitly denied access. This applies only '
'to groups within this SSSD domain. Local groups are not evaluated.'),
# [provider/proxy]
'proxy_max_children': _('The number of preforked proxy children.'),
# [provider/proxy/id]
'proxy_lib_name': _('The name of the NSS library to use'),
'proxy_resolver_lib_name': _('The name of the NSS library to use for hosts and networks lookups'),
'proxy_fast_alias': _('Whether to look up canonical group name from cache if possible'),
# [provider/proxy/auth]
'proxy_pam_target': _('PAM stack to use'),
# [provider/files]
'passwd_files': _('Path of passwd file sources.'),
'group_files': _('Path of group file sources.')
}
|