summaryrefslogtreecommitdiffstats
path: root/src/man/sssd.conf.5.xml
diff options
context:
space:
mode:
authorStephen Gallagher <sgallagh@redhat.com>2010-02-18 07:49:04 -0500
committerStephen Gallagher <sgallagh@redhat.com>2010-02-18 13:48:45 -0500
commit1c48b5a62f73234ed26bb20f0ab345ab61cda0ab (patch)
tree0b6cddd567a862e1a7b5df23764869782a62ca78 /src/man/sssd.conf.5.xml
parent8c56df3176f528fe0260974b3bf934173c4651ea (diff)
downloadsssd-1c48b5a62f73234ed26bb20f0ab345ab61cda0ab.tar.gz
sssd-1c48b5a62f73234ed26bb20f0ab345ab61cda0ab.tar.xz
sssd-1c48b5a62f73234ed26bb20f0ab345ab61cda0ab.zip
Rename server/ directory to src/
Also update BUILD.txt
Diffstat (limited to 'src/man/sssd.conf.5.xml')
-rw-r--r--src/man/sssd.conf.5.xml808
1 files changed, 808 insertions, 0 deletions
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
new file mode 100644
index 000000000..7b240c8f4
--- /dev/null
+++ b/src/man/sssd.conf.5.xml
@@ -0,0 +1,808 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE reference PUBLIC "-//OASIS//DTD DocBook V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<reference>
+<title>SSSD Manual pages</title>
+<refentry>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="include/upstream.xml" />
+
+ <refmeta>
+ <refentrytitle>sssd.conf</refentrytitle>
+ <manvolnum>5</manvolnum>
+ <refmiscinfo class="manual">File Formats and Conventions</refmiscinfo>
+ </refmeta>
+
+ <refnamediv id='name'>
+ <refname>sssd.conf</refname>
+ <refpurpose>the configuration file for SSSD</refpurpose>
+ </refnamediv>
+
+ <refsect1 id='file-format'>
+ <title>FILE FORMAT</title>
+
+ <para>
+ The file has an ini-style syntax and consists of sections and
+ parameters. A section begins with the name of the section in
+ square brackets and continues until the next section begins. An
+ example of section with single and multi-valued parameters:
+ <programlisting>
+ <replaceable>[section]</replaceable>
+ <replaceable>key</replaceable> = <replaceable>value</replaceable>
+ <replaceable>key2</replaceable> = <replaceable>value2,value3</replaceable>
+ </programlisting>
+ </para>
+
+ <para>
+ The data types used are string (no quotes needed), integer
+ and bool (with values of <quote>TRUE/FALSE</quote>).
+ </para>
+
+ <para>
+ A line comment starts with a hash sign (<quote>#</quote>) or a
+ semicolon (<quote>;</quote>)
+ </para>
+
+ <para>
+ All sections can have an optional
+ <replaceable>description</replaceable> parameter. Its function
+ is only as a label for the section.
+ </para>
+
+ <para>
+ <filename>sssd.conf</filename> must be a regular file, owned by
+ root and only root may read from or write to the file.
+ </para>
+ </refsect1>
+
+ <refsect1 id='special-sections'>
+ <title>SPECIAL SECTIONS</title>
+
+ <refsect2 id='services'>
+ <title>The [sssd] section</title>
+ <para>
+ Individual pieces of SSSD functionality are provided by special
+ SSSD services that are started and stopped together with SSSD.
+ The services are managed by a special service frequently called
+ <quote>monitor</quote>. The <quote>[sssd]</quote> section is used
+ to configure the monitor as well as some other important options
+ like the identity domains.
+ <variablelist>
+ <title>Section parameters</title>
+ <varlistentry>
+ <term>config_file_version (integer)</term>
+ <listitem>
+ <para>
+ Indicates what is the syntax of the config
+ file. SSSD 0.6.0 and later use version 2.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>services</term>
+ <listitem>
+ <para>
+ Comma separated list of services that are
+ started when sssd itself starts.
+ </para>
+ <para>
+ Supported services: nss, pam
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>reconnection_retries (integer)</term>
+ <listitem>
+ <para>
+ Number of times services should attempt to
+ reconnect in the event of a Data Provider
+ crash or restart before they give up
+ </para>
+ <para>
+ Default: 3
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>domains</term>
+ <listitem>
+ <para>
+ A domain is a database containing user
+ information. SSSD can use more domains
+ at the same time, but at least one
+ must be configured or SSSD won't start.
+ This parameter described the list of domains
+ in the order you want them to be queried.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>re_expression (string)</term>
+ <listitem>
+ <para>
+ Regular expression that describes how to parse the string
+ containing user name and domain into these components.
+ </para>
+ <para>
+ Default: <quote>(?P&lt;name&gt;[^@]+)@?(?P&lt;domain&gt;[^@]*$)</quote>
+ which translates to "the name is everything up to the
+ <quote>@</quote> sign, the domain everything after that"
+ </para>
+ <para>
+ PLEASE NOTE: the support for non-unique named
+ subpatterns is not available on all plattforms
+ (e.g. RHEL5 and SLES10). Only plattforms with
+ libpcre version 7 or higher can support non-unique
+ named subpatterns.
+ </para>
+ <para>
+ PLEASE NOTE ALSO: older version of libpcre only
+ support the Python syntax (?P&lt;name&gt;) to label
+ subpatterns.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>full_name_format (string)</term>
+ <listitem>
+ <para>
+ A <citerefentry>
+ <refentrytitle>printf</refentrytitle>
+ <manvolnum>3</manvolnum>
+ </citerefentry>-compatible format that describes how to
+ translate a (name, domain) tuple into a fully qualified
+ name.
+ </para>
+ <para>
+ Default: <quote>%1$s@%2$s</quote>.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </para>
+ </refsect2>
+
+ </refsect1>
+
+ <refsect1 id='services-sections'>
+ <title>SERVICES SECTIONS</title>
+ <para>
+ Settings that can be used to configure different services
+ are described in this section. They should reside in the
+ [<replaceable>$NAME</replaceable>] section, for example,
+ for NSS service, the section would be <quote>[nss]</quote>
+ </para>
+
+ <refsect2 id='general'>
+ <title>General service configuration options</title>
+ <para>
+ These options can be used to configure any service.
+ </para>
+ <variablelist>
+ <varlistentry>
+ <term>debug_level (integer)</term>
+ <listitem>
+ <para>
+ Sets the debug level for the service. The
+ value can be in range from 0 (only critical
+ messages) to 10 (very verbose).
+ </para>
+ <para>
+ Default: 0
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>debug_timestamps (bool)</term>
+ <listitem>
+ <para>
+ Add a timestamp to the debug messages
+ </para>
+ <para>
+ Default: true
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>reconnection_retries (integer)</term>
+ <listitem>
+ <para>
+ Number of times services should attempt to
+ reconnect in the event of a Data Provider
+ crash or restart before they give up
+ </para>
+ <para>
+ Default: 3
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>command (string)</term>
+ <listitem>
+ <para>
+ By default, the executable
+ representing this service is called
+ <command>sssd_${service_name}</command>.
+ This directive allows to change the executable
+ name for the service. In the vast majority of
+ configurations, the default values should suffice.
+ </para>
+ <para>
+ Default: <command>sssd_${service_name}</command>
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect2>
+
+ <refsect2 id='NSS'>
+ <title>NSS configuration options</title>
+ <para>
+ These options can be used to configure the
+ Name Service Switch (NSS) service.
+ </para>
+ <variablelist>
+ <varlistentry>
+ <term>enum_cache_timeout (integer)</term>
+ <listitem>
+ <para>
+ How many seconds should nss_sss cache enumerations
+ (requests for info about all users)
+ </para>
+ <para>
+ Default: 120
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>entry_cache_nowait_percentage (integer)</term>
+ <listitem>
+ <para>
+ The entry cache can be set to automatically update
+ entries in the background if they are requested
+ beyond a percentage of the entry_cache_timeout
+ value for the domain.
+ </para>
+ <para>
+ For example, if the domain's entry_cache_timeout
+ is set to 30s and entry_cache_nowait_percentage is
+ set to 50 (percent), entries that come in after 15
+ seconds past the last cache update will be
+ returned immediately, but the SSSD will go and
+ update the cache on its own, so that future
+ requests will not need to block waiting for a
+ cache update.
+ </para>
+ <para>
+ Valid values for this option are 0-99 and
+ represent a percentage of the entry_cache_timeout
+ for each domain. For performance reasons, this
+ percentage will never reduce the nowait timeout to
+ less than 10 seconds.
+ (0 disables this feature)
+ </para>
+ <para>
+ Default: 0
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>entry_negative_timeout (integer)</term>
+ <listitem>
+ <para>
+ Specifies for how long nss_sss should cache
+ negative cache hits (that is, queries for
+ invalid database entries, like nonexistent ones)
+ before asking the back end again.
+ </para>
+ <para>
+ Default: 15
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>filter_users, filter_groups (string)</term>
+ <listitem>
+ <para>
+ Exclude certain users from being fetched from the sss
+ NSS database. This is particulary useful for system
+ accounts.
+ </para>
+ <para>
+ Default: root
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>filter_users_in_groups (bool)</term>
+ <listitem>
+ <para>
+ If you want filtered user still be group members
+ set this option to false.
+ </para>
+ <para>
+ Default: true
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect2>
+ <refsect2 id='PAM'>
+ <title>PAM configuration options</title>
+ <para>
+ These options can be used to configure the
+ Pluggable Authentication Module (PAM) service.
+ </para>
+ <variablelist>
+ <varlistentry>
+ <term>offline_credentials_expiration (integer)</term>
+ <listitem>
+ <para>
+ If the authentication provider is offline, how
+ long should we allow cached logins (in days since
+ the last successful online login).
+ </para>
+ <para>
+ Default: 0 (No limit)
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>offline_failed_login_attempts (integer)</term>
+ <listitem>
+ <para>
+ If the authentication provider is offline, how
+ many failed login attempts are allowed.
+ </para>
+ <para>
+ Default: 0 (No limit)
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>offline_failed_login_delay (integer)</term>
+ <listitem>
+ <para>
+ The time in minutes which has to pass after
+ offline_failed_login_attempts has been reached
+ before a new login attempt is possible.
+ </para>
+ <para>
+ If set to 0 the user cannot authenticate offline if
+ offline_failed_login_attempts has been reached. Only
+ a successful online authentication can enable
+ enable offline authentication again.
+ </para>
+ <para>
+ Default: 5
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect2>
+ </refsect1>
+
+ <refsect1 id='domain-sections'>
+ <title>DOMAIN SECTIONS</title>
+ <para>
+ These configuration options can be present in a domain
+ configuration section, that is, in a section called
+ <quote>[domain/<replaceable>NAME</replaceable>]</quote>
+ <variablelist>
+ <varlistentry>
+ <term>min_id,max_id (integer)</term>
+ <listitem>
+ <para>
+ UID limits for the domain. If a domain contains
+ entry that is outside these limits, it is ignored
+ </para>
+ <para>
+ Default: 1000 for min_id, 0 (no limit) for max_id
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>timeout (integer)</term>
+ <listitem>
+ <para>
+ Timeout in seconds between heartbeats for this domain.
+ This is used to ensure that the backend process is
+ alive and capable of answering requests.
+ </para>
+ <para>
+ Default: 10
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>enumerate (bool)</term>
+ <listitem>
+ <para>
+ Determines if a domain can be enumerated. This
+ parameter can have one of the following values:
+ </para>
+ <para>
+ TRUE = Users and groups are enumerated
+ </para>
+ <para>
+ FALSE = No enumerations for this domain
+ </para>
+ <para>
+ Default: TRUE
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>entry_cache_timeout (integer)</term>
+ <listitem>
+ <para>
+ How many seconds should nss_sss consider
+ entries valid before asking the backend again
+ </para>
+ <para>
+ Default: 600
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>cache_credentials (bool)</term>
+ <listitem>
+ <para>
+ Determines if user credentials are also cached
+ in the local LDB cache
+ </para>
+ <para>
+ Default: FALSE
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>id_provider (string)</term>
+ <listitem>
+ <para>
+ The Data Provider identity backend to use for this
+ domain.
+ </para>
+ <para>
+ Supported backends:
+ </para>
+ <para>
+ proxy: Support a legacy NSS provider
+ </para>
+ <para>
+ local: SSSD internal local provider
+ </para>
+ <para>
+ ldap: LDAP provider
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>use_fully_qualified_names (bool)</term>
+ <listitem>
+ <para>
+ If set to TRUE, all requests to this domain
+ must use fully qualified names. For example,
+ if used in LOCAL domain that contains a "test"
+ user, <command>getent passwd test</command>
+ wouldn't find the user while <command>getent
+ passwd test@LOCAL</command> would.
+ </para>
+ <para>
+ Default: FALSE
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>auth_provider (string)</term>
+ <listitem>
+ <para>
+ The authentication provider used for the domain.
+ Supported auth providers are:
+ </para>
+ <para>
+ <quote>ldap</quote> for native LDAP authentication. See
+ <citerefentry>
+ <refentrytitle>sssd-ldap</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry> for more information on configuring LDAP.
+ </para>
+ <para>
+ <quote>krb5</quote> for Kerberos authentication. See
+ <citerefentry>
+ <refentrytitle>sssd-krb5</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry> for more information on configuring Kerberos.
+ </para>
+ <para>
+ <quote>proxy</quote> for relaying authentication to some other PAM target.
+ </para>
+ <para>
+ <quote>none</quote> disables authentication explicitly.
+ </para>
+ <para>
+ Default: <quote>id_provider</quote> is used if it
+ is set and can handle authentication requests.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>access_provider (string)</term>
+ <listitem>
+ <para>
+ The access control provider used for the domain.
+ There are two built-in access providers (in
+ addition to any included in installed backends)
+ Internal special providers are:
+ </para>
+ <para>
+ <quote>permit</quote> always allow access.
+ </para>
+ <para>
+ <quote>deny</quote> always deny access.
+ </para>
+ <para>
+ Default: <quote>permit</quote>
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>chpass_provider (string)</term>
+ <listitem>
+ <para>
+ The provider which should handle change password
+ operations for the domain.
+ Supported change password providers are:
+ </para>
+ <para>
+ <quote>ldap</quote> to change a password stored
+ in a LDAP server. See
+ <citerefentry>
+ <refentrytitle>sssd-ldap</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry> for more information on configuring LDAP.
+ </para>
+ <para>
+ <quote>krb5</quote> to change the Kerberos
+ password. See
+ <citerefentry>
+ <refentrytitle>sssd-krb5</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry> for more information on configuring Kerberos.
+ </para>
+ <para>
+ <quote>proxy</quote> for relaying password changes
+ to some other PAM target.
+ </para>
+ <para>
+ <quote>none</quote> disallows password changes explicitly.
+ </para>
+ <para>
+ Default: <quote>auth_provider</quote> is used if it
+ is set and can handle change password requests.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </para>
+
+ <para>
+ Options valid for proxy domains.
+
+ <variablelist>
+ <varlistentry>
+ <term>proxy_pam_target (string)</term>
+ <listitem>
+ <para>
+ The proxy target PAM proxies to.
+ </para>
+ <para>
+ Default: not set by default, you have to take an
+ existing pam configuration or create a new one and
+ add the service name here.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>proxy_lib_name (string)</term>
+ <listitem>
+ <para>
+ The name of the NSS library to use in proxy
+ domains. The NSS functions searched for in the
+ library are in the form of
+ _nss_$(libName)_$(function), for example
+ _nss_files_getpwent.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </para>
+
+ <refsect2 id='local_domain'>
+ <title>The local domain section</title>
+ <para>
+ This section contains settings for domain that stores users and
+ groups in SSSD native database, that is, a domain that uses
+ <replaceable>id_provider=local</replaceable>.
+ </para>
+ <variablelist>
+ <title>Section parameters</title>
+ <varlistentry>
+ <term>default_shell (string)</term>
+ <listitem>
+ <para>
+ The default shell for users created
+ with SSSD userspace tools.
+ </para>
+ <para>
+ Default: <filename>/bin/bash</filename>
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>base_directory (string)</term>
+ <listitem>
+ <para>
+ The tools append the login name to
+ <replaceable>base_directory</replaceable> and
+ use that as the home directory.
+ </para>
+ <para>
+ Default: <filename>/home</filename>
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>create_homedir (bool)</term>
+ <listitem>
+ <para>
+ Indicate if a home directory should be created by default for new users.
+ Can be overriden on command line.
+ </para>
+ <para>
+ Default: TRUE
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>remove_homedir (bool)</term>
+ <listitem>
+ <para>
+ Indicate if a home directory should be removed by default for deleted users.
+ Can be overriden on command line.
+ </para>
+ <para>
+ Default: TRUE
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>homedir_umask (integer)</term>
+ <listitem>
+ <para>
+ Used by
+ <citerefentry>
+ <refentrytitle>sss_useradd</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </citerefentry> to specify the default permissions on a newly created
+ home directory.
+ </para>
+ <para>
+ Default: 077
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>skel_dir (string)</term>
+ <listitem>
+ <para>
+ The skeleton directory, which contains files
+ and directories to be copied in the user's
+ home directory, when the home directory is
+ created by
+ <citerefentry>
+ <refentrytitle>sss_useradd</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </citerefentry>
+ </para>
+ <para>
+ Default: <filename>/etc/skel</filename>
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>mail_dir (string)</term>
+ <listitem>
+ <para>
+ The mail spool directory. This is needed to
+ manipulate the mailbox when its corresponding
+ user account is modified or deleted.
+ If not specified, a default
+ value is used.
+ </para>
+ <para>
+ Default: <filename>/var/mail</filename>
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect2>
+
+ </refsect1>
+
+ <refsect1 id='example'>
+ <title>EXAMPLE</title>
+ <para>
+ The following example shows a typical SSSD config. It does
+ not describe configuration of the domains themselves - refer to
+ documentation on configuring domains for more details.
+<programlisting>
+[sssd]
+domains = LDAP
+services = nss, pam
+config_file_version = 2
+
+[nss]
+filter_groups = root
+filter_users = root
+
+[pam]
+
+[domain/LDAP]
+id_provider = ldap
+ldap_uri = ldap://ldap.example.com
+ldap_search_base = dc=example,dc=com
+
+auth_provider = krb5
+krb5_kdcip = kerberos.example.com
+krb5_realm = EXAMPLE.COM
+cache_credentials = true
+
+min_id = 10000
+max_id = 20000
+enumerate = true
+</programlisting>
+ </para>
+ </refsect1>
+
+ <refsect1 id='see_also'>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>sssd-ldap</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sssd-krb5</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_groupadd</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_groupdel</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_groupmod</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_useradd</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_userdel</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>sss_usermod</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pam_sss</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>.
+ </para>
+ </refsect1>
+</refentry>
+</reference>