summaryrefslogtreecommitdiffstats
path: root/src/man/sssd.conf.5.xml
Commit message (Collapse)AuthorAgeFilesLines
* subdomains: Inherit cleanup period and tokengroup settings from parent domainJakub Hrozek2015-06-081-0/+9
| | | | | | | | | | | | | | | Allows the administrator to extend the functionality of ldap_purge_cache_timeout, ldap_user_principal and ldap_use_tokengroups to the subdomains. This is a less intrusive way of achieving: https://fedorahosted.org/sssd/ticket/2627 Reviewed-by: Pavel Reichl <preichl@redhat.com> (cherry picked from commit 9b162bf39ef75629f54ffa1d0bd5f9c13119b650) Conflicts: src/tests/cmocka/test_sdap.c
* UTIL: Inherit ignore_group_membersJakub Hrozek2015-06-081-0/+4
| | | | | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2644 Allows the administrators to extend ignore_group_members to subdomains as well by setting: subdomain_inherit = ignore_group_members in the domain section. Reviewed-by: Pavel Reichl <preichl@redhat.com> (cherry picked from commit 01c049ceef55c7bbfca1e47cecb2a0a2cf0a5d44)
* confdb: Add new option subdomain_inheritJakub Hrozek2015-06-081-1/+19
| | | | | | | | | | | | | | | Adds a new option subdomain_inherit that would allow administrators to pick and choose which option to pass to subdomains. This option is required for: https://fedorahosted.org/sssd/ticket/2644 as a short-term fix. The proper solution is described in: https://fedorahosted.org/sssd/ticket/2599 Reviewed-by: Pavel Reichl <preichl@redhat.com> (cherry picked from commit 1711cbfd2e36d44af1ae50e3a2beeec3a1f0b5e8)
* MAN: Misspelled username in pam_trusted_users is not fatalJakub Hrozek2014-12-131-5/+0
| | | | | | | | | | | The man page claimed that failing to resolve an user name results in failure to start SSSD, but it's not the case and shouldn't be, because marking a user as trusted only elevates privileges, so it's safe to ignore that failure. https://fedorahosted.org/sssd/ticket/2530 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* Man: debug_timestamps and debug_microsecondsMichal Zidek2014-11-201-2/+6
| | | | | | | | | Add note that these two options are ignored if journald is used. https://fedorahosted.org/sssd/ticket/2498 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* MAN: Update case_sensitive=Preserving in man pages.Michal Zidek2014-11-201-2/+5
| | | | https://fedorahosted.org/sssd/ticket/2462
* nss: parse user_attributes optionSumit Bose2014-11-051-0/+26
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SSSD: Load a user to run a service as from configurationJakub Hrozek2014-10-301-0/+13
| | | | | | | | | | | | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2370 Adds a option, user to run as, that is specified in the [sssd] section. When this option is specified, SSSD will run as this user and his private group. When these are not specified, SSSD will run as the configure-time user and group (usually root). Currently all services and providers are started as root. There is a temporary svc_supported_as_nonroot() function that returns true for a service if that service runs and was tested as nonroot and false otherwise. Currently this function always returns false, but will be amended in future patches. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> (cherry picked from commit a10ac1d0a7210def232205a48c53a075930e82f6)
* NSS: Possibility to use any shells in 'allowed_shells'Denis Kutin2014-10-221-0/+10
| | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2219 Signed-off-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Reichl <preichl@redhat.com>
* PAM: new options pam_trusted_users & pam_public_domainsPavel Reichl2014-09-291-0/+50
| | | | | | | | | | | | | pam_public_domains option is a list of numerical UIDs or user names that are trusted. pam_public_domains option is a list of domains accessible even for untrusted users. Based on: https://fedorahosted.org/sssd/wiki/DesignDocs/RestrictDomainsInPAM Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* MAN: AD is allowed value of subdomains_providerJakub Hrozek2014-09-181-0/+9
| | | | | | https://fedorahosted.org/sssd/ticket/2442 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* SSS_CACHE: Allow sss_cache tool to flush SSH hosts cacheWilliam B2014-09-051-0/+14
| | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2358 Signed-off-by: Jan Cholasta <jcholast@redhat.com> Reviewed-by: Jan Cholasta <jcholast@redhat.com> Reviewed-by: Pavel Reichl <preichl@redhat.com>
* Replace space: add some checksSumit Bose2014-09-011-3/+5
| | | | | | | | | | | | | | | | | | | | | | | This patch adds some additional checks if the option for replacing spaces in user and group names is used. When replacing space with the replacement character it is checked if the name already contains the replacement character. If it does the unmodified name is returned because in this case a revers operation would not be possible. For the reverse operation is it checked if the input contains both a space and the replacement character. If this is true the unmodified name is returned as well, because we have to assume that it is the original name because otherwise it wouldn't contain both characters. Additionally a shortcut if the replacement characters is a space and tests for the new checks are added. The man page is updated accordingly. Related to https://fedorahosted.org/sssd/ticket/1854 and https://fedorahosted.org/sssd/ticket/2397 . Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Make the space override responder-agnosticJakub Hrozek2014-08-131-17/+23
| | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2397 In order to make the override_space option usable by other responders, we need to move the override_space option to the generic responder structure. Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* Only replace space with the specified substitutionJakub Hrozek2014-08-131-5/+5
| | | | | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2397 - make sss_replace_whitespaces only replace space (' ') not any whitespace - make sss_replace_whitespaces only replace a single char, not the whole string - rename CONFDB_NSS_OVERRIDE_DEFAULT_WHITESPACE to CONFDB_NSS_OVERRIDE_DEFAULT_SPACE - rename the override_default_whitespace option to override_space - rename sss_replace_whitespaces() to sss_replace_space() - rename sss_reverse_replace_whitespaces() to sss_reverse_replace_space() - rename nctx->override_default_wsp_str to nctx->override_space - make the return value of sss_replace_space non-const to avoid freeing the result without compilation warnings Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* MAN: offline_timeoutMichal Zidek2014-08-121-4/+22
| | | | | | | | Amend the man page to reflect current behaviour. https://fedorahosted.org/sssd/ticket/2401 Reviewed-by: Dan Lavu <dlavu@redhat.com>
* MAN: case_sensitivity man page updateMichal Zidek2014-07-291-3/+30
| | | | | | | | Fixes: https://fedorahosted.org/sssd/ticket/2367 Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
* NSS: Replace spaces with specified string in names.Lukas Slebodnik2014-07-281-0/+17
| | | | | | | | | | | | This patch add possibility to replace whitespace in user and group names with a specified string. With string "-", sssd will return the same result as winbind enabled option "winbind normalize names" Resolves: https://fedorahosted.org/sssd/ticket/1854 Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Michal Židek <mzidek@redhat.com>
* MAN: local auth_provider is not documented in sssd.confJakub Hrozek2014-07-141-0/+4
| | | | | | | | https://fedorahosted.org/sssd/ticket/2359 Reported by Stephan Mueller. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* MAN: Add reference to manual page sssd-sudoLukas Slebodnik2014-06-031-0/+28
| | | | Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
* NSS: Add option to expand homedir template formatLukas Slebodnik2014-06-021-0/+1
| | | | | | | | | LDAP server can contain template for home directory instead of plain string. This patch adds new expand option "%H", which will be replaced with value from configuration option homedir_substring (from sssd.conf) Resolves: https://fedorahosted.org/sssd/ticket/1853
* man: clarify refresh_expired_intervalPavel Březina2014-06-011-3/+7
| | | | | | https://fedorahosted.org/sssd/ticket/2114 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
* IFP: Re-add the InfoPipe serverJakub Hrozek2014-04-041-0/+1
| | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2072 This commit only adds the responder and the needed plumbing. No DBus related code is in yet.
* MAN: new general options sectionPavel Reichl2014-03-131-39/+62
| | | | | | | | | | Some options are relevant to multiple sections of sssd.conf. This patch adds new sections for those. Resolves: https://fedorahosted.org/sssd/ticket/2218 Reviewed-by: Sumit Bose <sbose@redhat.com>
* SUDO: AD providerSumit Bose2014-03-021-3/+12
| | | | | | | | | | | | | | This patch adds the sudo target to the AD provider. The main reason is to cover different default settings in the LDAP and AD provider. E.g. the default for ldap_id_mapping is True in the AD provider and False in the LDAP provider. If ldap_id_mapping was not set explicitly in the config file both components worked with different setting. Fixes https://fedorahosted.org/sssd/ticket/2256 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* MAN: update of subdomain_homedir usagePavel Reichl2014-02-051-1/+2
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/2169
* MAN: clarify which shell option takes precedenceJakub Hrozek2014-01-291-6/+7
|
* MAN: Fix a typoJakub Hrozek2014-01-201-1/+1
|
* confdb: Make offline timeout configurableMichal Zidek2013-11-071-0/+15
| | | | | | | Added and documented option offline_timeout. Resolves: https://fedorahosted.org/sssd/ticket/1718
* MAN: Document that sss_cache should be run after changing the cache timeoutJakub Hrozek2013-09-051-0/+13
|
* Add a new option to control subdomain enumerationJakub Hrozek2013-08-281-0/+27
|
* Netgroups should ignore the 'use_fully_qualified_names' settingStephen Gallagher2013-07-291-0/+7
| | | | | | | | | | | Netgroups often have memberNisNetgroup entries included in them that will never process correctly if we require fully-qualified names on the nested lookup. This patch alters the behavior of netgroup lookups to check *all* domains for an unqualified netgroup name, instead of only the ones not requiring fully- qualified names. https://fedorahosted.org/sssd/ticket/2013
* Set default DNS resolution timeout to 6 seconds.Michal Zidek2013-07-241-1/+1
| | | | | | | | Partially solves ticket: https://fedorahosted.org/sssd/ticket/1966 To avoid the problem mentioned in the ticket above, option dns_discovery_domain must be set properly.
* MAN: Clarify the min_id/max_id limits furtherJakub Hrozek2013-07-171-0/+4
| | | | | | | | | https://fedorahosted.org/sssd/ticket/2005 Some users were confused by our description of min_id/max_id and thought the limits only applied to returning entries from the NSS responder. However, the limits are actually enforced on the back end side, so the entries are not even saved to cache.
* Fix minor typosYuri Chornoivan2013-06-121-2/+2
|
* back end: add refresh expired records periodic taskPavel Březina2013-06-101-0/+18
| | | | | | https://fedorahosted.org/sssd/ticket/1713 Add new option refresh_expired_interval.
* Enhance PAC responder for AD usersSumit Bose2013-06-061-10/+10
| | | | | | | | | | | This patch modifies the PAC responder so that it can be used with the AD provider as well. The main difference is that the POSIX UIDs and GIDs are now lookup up with the help of the SID instead of being calculated algorithmically. This was necessary because the AD provider allows either algorithmic mapping or reading the value from attributes stored in AD. Fixes https://fedorahosted.org/sssd/ticket/1558
* Allow flat name in the FQname formatJakub Hrozek2013-05-301-5/+63
| | | | | | | https://fedorahosted.org/sssd/ticket/1648 Adds another expansion in the printf format that allows the user to use the domain flat name in the format.
* Add a domain config attribute for realmdStef Walter2013-05-231-0/+9
| | | | | realmd needs to be able to tag various domains with basic info when it configures a domain.
* AD: read flat name and SID of the AD domainSumit Bose2013-05-071-0/+4
| | | | | | | | | | | | | | | For various features either the flat/short/NetBIOS domain name or the domain SID is needed. Since the responders already try to do a subdomain lookup when and known domain name is encountered I added a subdomain lookup to the AD provider which currently only reads the SID from the base DN and the NetBIOS name from a reply of a LDAP ping. The results are written to the cache to have them available even if SSSD is started in offline mode. Looking up trusted domains can be added later. Since all the needed responder code is already available from the corresponding work for the IPA provider this patch fixes https://fedorahosted.org/sssd/ticket/1468
* Document the naming convention for SSSD domainsJakub Hrozek2013-04-261-0/+2
| | | | https://fedorahosted.org/sssd/ticket/1809
* Allow using flatname for subdomain home dir templateJakub Hrozek2013-04-101-1/+9
| | | | https://fedorahosted.org/sssd/ticket/1609
* Put the override_homedir into an included xml fileJakub Hrozek2013-04-101-54/+1
| | | | | The description was duplicated on two places, leading to errors where one was amended but the other was not.
* NSS: Add original homedir to home directory template optionsStephen Gallagher2013-02-101-0/+7
| | | | https://fedorahosted.org/sssd/ticket/1805
* MAN: Clarify that saving users after enumerating large domain might be CPU ↵Jakub Hrozek2013-01-281-1/+9
| | | | | | intensive https://fedorahosted.org/sssd/ticket/1732
* MAN: Move ssh_known_hosts_timeout documentation to the correct sectionJan Cholasta2012-12-051-12/+12
|
* MAN: quotation fixOndrej Kos2012-11-161-1/+1
| | | | | I noticed that the proxy in auth_provider section of sssd.conf manpage isn't quoted when all others are.
* Add ignore_group_members option.Paul B. Henson2012-11-151-0/+17
| | | | https://fedorahosted.org/sssd/ticket/1376
* Run IPA subdomain provider if IPA ID provider is configuredSumit Bose2012-11-141-5/+9
| | | | | | | | | | | | | | | | | | | | | | | | To make configuration easier the IPA subdomain provider should be always loaded if the IPA ID provider is configured and the subdomain provider is not explicitly disabled. But to avoid the overhead of regular subdomain requests in setups where no subdomains are used the IPA subdomain provider should behave differently if configured explicit or implicit. If the IPA subdomain provider is configured explicitly, i.e. 'subdomains_provider = ipa' can be found in the domain section of sssd.conf subdomain request are always send to the server if needed. If it is configured implicitly and a request to the server fails with an indication that the server currently does not support subdomains at all, e.g. is not configured to handle trust relationships, a new request will be only send to the server after a long timeout or after a going-online event. To be able to make this distinction this patch save the configuration status to the subdomain context. Fixes https://fedorahosted.org/sssd/ticket/1613
* MAN: Specify the correct location for the force_timeout optionStephen Gallagher2012-11-081-16/+32
|
generated by cgit (git 2.34.1) at 2024-05-29 08:56:24 +0000