diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/man/sssd-ldap.5.xml | 125 | ||||
-rw-r--r-- | src/man/sssd.conf.5.xml | 40 |
2 files changed, 131 insertions, 34 deletions
diff --git a/src/man/sssd-ldap.5.xml b/src/man/sssd-ldap.5.xml index d20d84bca..d7e29e221 100644 --- a/src/man/sssd-ldap.5.xml +++ b/src/man/sssd-ldap.5.xml @@ -1923,27 +1923,136 @@ ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com </varlistentry> <varlistentry> - <term>ldap_sudo_refresh_enabled (boolean)</term> + <term>ldap_sudo_full_refresh_interval (integer)</term> <listitem> <para> - Enables periodical download of all sudo rules. - The cache is purged before each update. + How many seconds SSSD will wait between executing + a full refresh of sudo rules (which downloads all + rules that are stored on the server). </para> <para> - Default: false + The value must be greater than + <emphasis>ldap_sudo_smart_refresh_interval + </emphasis> + </para> + <para> + Default: 21600 (6 hours) </para> </listitem> </varlistentry> <varlistentry> - <term>ldap_sudo_refresh_timeout (integer)</term> + <term>ldap_sudo_smart_refresh_interval (integer)</term> <listitem> <para> - How many seconds SSSD has to wait before refreshing - its cache of sudo rules. + How many seconds SSSD has to wait before executing + a smart refresh of sudo rules (which downloads all + rules that have USN higher than the highest USN of + cached rules). </para> <para> - Default: 300 + If USN attributes are not supported by the server, + the modifyTimestamp attribute is used instead. + </para> + <para> + Default: 900 (15 minutes) + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_sudo_use_host_filter (boolean)</term> + <listitem> + <para> + If true, SSSD will download only rules that are + applicable to this machine (using the IPv4 or IPv6 + host/network addresses and hostnames). + </para> + <para> + Default: true + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_sudo_hostnames (string)</term> + <listitem> + <para> + Space separated list of hostnames or fully qualified + domain names that should be used to filter + the rules. + </para> + <para> + <emphasis>Note:</emphasis> autoconfiguration is not + yet supported, therefore if this option is left + empty then hostname matching will be disabled. + </para> + <para> + If <emphasis>ldap_sudo_use_host_filter</emphasis> + is <emphasis>false</emphasis> then this option + has no effect. + </para> + <para> + Default: not specified + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_sudo_ip (string)</term> + <listitem> + <para> + Space separated list of IPv4 or IPv6 + host/network addresses that should be used to filter + the rules. + </para> + <para> + If this option is empty, SSSD will try to + discover the addresses automatically. + </para> + <para> + If <emphasis>ldap_sudo_use_host_filter</emphasis> + is <emphasis>false</emphasis> then this option + has no effect. + </para> + <para> + Default: not specified + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_sudo_include_netgroups (boolean)</term> + <listitem> + <para> + If true then SSSD will download every rule that + contains a netgroup in sudoHost attribute. + </para> + <para> + If <emphasis>ldap_sudo_use_host_filter</emphasis> + is <emphasis>false</emphasis> then this option + has no effect. + </para> + <para> + Default: true + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>ldap_sudo_include_regexp (boolean)</term> + <listitem> + <para> + If true then SSSD will download every rule that + contains a regular expression in sudoHost attribute. + </para> + <para> + If <emphasis>ldap_sudo_use_host_filter</emphasis> + is <emphasis>false</emphasis> then this option + has no effect. + </para> + <para> + Default: true </para> </listitem> </varlistentry> diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index e6a1bbcdf..bb9b91296 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -721,31 +721,6 @@ </para> <variablelist> <varlistentry> - <term>sudo_cache_timeout (integer)</term> - <listitem> - <para> - For any sudo request that comes while SSSD is - online, the SSSD will attempt to update the cached - rules in order to ensure that sudo has the latest - ruleset. - </para> - <para> - The user may, however, run a couple of sudo commands - successively, which would trigger multiple LDAP requests. - In order to speed up this use-case, the sudo service - maintains an in-memory cache that would be used for - performing fast replies. - </para> - <para> - This option controls how long (in seconds) can the sudo - service cache rules for a user. - </para> - <para> - Default: 180 - </para> - </listitem> - </varlistentry> - <varlistentry> <term>sudo_timed (bool)</term> <listitem> <para> @@ -985,7 +960,20 @@ </para> </listitem> </varlistentry> - + + <varlistentry condition="with_sudo"> + <term>entry_cache_sudo_timeout (integer)</term> + <listitem> + <para> + How many seconds should sudo consider + rules valid before asking the backend again + </para> + <para> + Default: entry_cache_timeout + </para> + </listitem> + </varlistentry> + <varlistentry> <term>cache_credentials (bool)</term> <listitem> |