diff options
| author | Jakub Hrozek <jhrozek@redhat.com> | 2014-01-02 17:23:08 +0100 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-06-03 13:35:12 +0200 |
| commit | dc8e542f5e9b2cc6373af94e27a0ce26a220edef (patch) | |
| tree | 10e8e3198ee03ca2f7ade47c9c3c5852546ff5e0 /src/man | |
| parent | 6ad198aad0406bf6649540ff99c699cdc3f5f3b7 (diff) | |
| download | sssd-dc8e542f5e9b2cc6373af94e27a0ce26a220edef.tar.gz sssd-dc8e542f5e9b2cc6373af94e27a0ce26a220edef.tar.xz sssd-dc8e542f5e9b2cc6373af94e27a0ce26a220edef.zip | |
IFP: Per-attribute ACL for users
Introduces a new option called user_attributes that allows to specify
which user attributes are allowed to be queried from the IFP responder.
By default only the default POSIX set is allowed, this option allows to
either add other attributes (+attrname) or remove them from the default
set (-attrname).
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 770dc892f867639f36f84455d65be6287935a529)
Diffstat (limited to 'src/man')
| -rw-r--r-- | src/man/sssd-ifp.5.xml | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/src/man/sssd-ifp.5.xml b/src/man/sssd-ifp.5.xml index 7e2ea7cfc..867c117ed 100644 --- a/src/man/sssd-ifp.5.xml +++ b/src/man/sssd-ifp.5.xml @@ -69,6 +69,68 @@ </para> </listitem> </varlistentry> + + <varlistentry> + <term>user_attributes (string)</term> + <listitem> + <para> + Specifies the comma-separated list of white + or blacklisted attributes. + </para> + <para> + By default, the InfoPipe responder only + allows the default set of POSIX attributes to + be requested. This set is the same as returned by + <citerefentry> + <refentrytitle>getpwnam</refentrytitle> + <manvolnum>3</manvolnum> + </citerefentry> + and includes: + <variablelist> + <varlistentry> + <term>name</term> + <listitem><para>user's login name</para></listitem> + </varlistentry> + <varlistentry> + <term>uidNumber</term> + <listitem><para>user ID</para></listitem> + </varlistentry> + <varlistentry> + <term>gidNumber</term> + <listitem><para>primary group ID</para></listitem> + </varlistentry> + <varlistentry> + <term>gecos</term> + <listitem><para>user information, typically full name</para></listitem> + </varlistentry> + <varlistentry> + <term>homeDirectory</term> + <listitem><para>home directory</para></listitem> + </varlistentry> + <varlistentry> + <term>loginShell</term> + <listitem><para>user shell</para></listitem> + </varlistentry> + </variablelist> + </para> + <para> + It is possible to add another attribute to + this set by using <quote>+attr_name</quote> + or explicitly remove an attribute using + <quote>-attr_name</quote>. For example, to + allow <quote>telephoneNumber</quote> but deny + <quote>loginShell</quote>, you would use the + following configuration: + <programlisting> +user_attributes = +telephoneNumber, -loginShell + </programlisting> + </para> + <para> + Default: not set. Only the default set of + POSIX attributes is allowed. + </para> + </listitem> + </varlistentry> </variablelist> </refsect1> |