summaryrefslogtreecommitdiffstats
path: root/src/man
Commit message (Collapse)AuthorAgeFilesLines
* Updating translations for the 1.13.1 releaseJakub Hrozek2015-09-3016-8043/+13684
|
* PAM: Make p11_child timeout configurableMichal Židek2015-09-231-0/+12
| | | | | | | | Ticket: https://fedorahosted.org/sssd/ticket/2773 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Pavel Reichl <preichl@redhat.com>
* sss_override: remove -d from manpagePavel Březina2015-09-211-1/+1
| | | | | | Short version of --debug is not acepted. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* Remove trailing whitespacePavel Reichl2015-09-031-4/+4
| | | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
* sss_override: document --debug optionsPavel Březina2015-08-311-0/+16
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2758 Reviewed-by: Petr Cech <pcech@redhat.com>
* sss_override: support import and exportPavel Březina2015-08-201-0/+88
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2737 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* DYNDNS: Don't use server cmd in nsupdate by defaultPavel Reichl2015-08-142-1/+10
| | | | | | | | | | | nsupdate command `server` should not be used for the first attempt to udpate DNS. It should be used only in subsequent attempts after the first attempt failed. Resolves: https://fedorahosted.org/sssd/ticket/2495 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* DYNDNS: Add a new option dyndns_serverJakub Hrozek2015-08-142-0/+39
| | | | | | | | | | | Some environments use a different DNS server than identity server. For these environments, it would be useful to be able to override the DNS server used to perform DNS updates. This patch adds a new option dyndns_server that, if set, would be used to hardcode a DNS server address into the nsupdate message. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* IPA: Change the default of ldap_user_certificate to userCertificate;binaryJakub Hrozek2015-08-141-1/+1
| | | | | | | | | | This is safe from ldb point of view, because ldb gurantees the data is NULL-terminated. We must be careful before we save the data, though. Resolves: https://fedorahosted.org/sssd/ticket/2742 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* ssh: generate public keys from certificateSumit Bose2015-07-311-0/+13
| | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2711 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* TOOLS: add sss_override for local overridesPavel Březina2015-07-273-0/+110
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2584 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* DYNDNS: special value '*' for dyndns_iface optionPavel Reichl2015-07-242-7/+8
| | | | | Option dyndns_iface has now special value '*' which implies that IPs from add interfaces should be sent during DDNS update.
* DYNDNS: support mult. interfaces for dyndns_iface optPavel Reichl2015-07-242-7/+12
| | | | | Resolves: https://fedorahosted.org/sssd/ticket/2549
* Fix minor typosYuri Chornoivan2015-07-231-2/+2
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* man: List alternative schema defaults for LDAP AutoFS parametersRobin McCorkell2015-07-221-7/+10
| | | | | | | | | | | | | | | ldap_autofs_map_name and ldap_autofs_entry_key have their rfc2307bis defaults listed alongside the rfc2307 defaults. ldap_autofs_entry_object_class has a fixed description and default This patch replaces the other one I posted, implementing the alternative schema defaults Jakub suggested. Regards, Robin McCorkell Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IFP: Add wildcard requestsJakub Hrozek2015-07-151-0/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2553 Can be used as: dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Users.ListByName \ string:r\* uint32:10 dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Groups \ org.freedesktop.sssd.infopipe.Groups.ListByName \ string:r\* uint32:10 dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Users \ org.freedesktop.sssd.infopipe.Users.ListByDomainAndName \ string:ipaldap string:r\* uint32:10 dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe \ /org/freedesktop/sssd/infopipe/Groups \ org.freedesktop.sssd.infopipe.Groups.ListByDomainAndName \ string:ipaldap string:r\* uint32:10 By default the wildcard_limit is unset, that is, the request will return all cached entries that match. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* LDAP: Add the wildcard_limit optionJakub Hrozek2015-07-151-0/+17
| | | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2553 Adds a new wildcard_limit option that is set by default to 1000 (one page). This option limits the number of entries that can by default be returned by a wildcard search. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* Updating the translations for the 1.13.0 releaseJakub Hrozek2015-07-0616-2565/+1496
|
* PAM: authenticate agains cachePavel Reichl2015-07-061-0/+24
| | | | | | | | | | | Enable authenticating users from cache even when SSSD is in online mode. Introduce new option `cached_auth_timeout`. Resolves: https://fedorahosted.org/sssd/ticket/1807 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Updating the translations for the 1.13 Alpha releasesssd-1_13_0_alphasssd-1_12_90Jakub Hrozek2015-06-2216-16855/+22196
|
* LDAP: add ldap_user_certificate optionSumit Bose2015-06-191-0/+14
| | | | | | Related to https://fedorahosted.org/sssd/ticket/2596 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* subdomains: Inherit cleanup period and tokengroup settings from parent domainJakub Hrozek2015-06-051-0/+9
| | | | | | | | | | | Allows the administrator to extend the functionality of ldap_purge_cache_timeout, ldap_user_principal and ldap_use_tokengroups to the subdomains. This is a less intrusive way of achieving: https://fedorahosted.org/sssd/ticket/2627 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* UTIL: Inherit ignore_group_membersJakub Hrozek2015-06-051-0/+4
| | | | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2644 Allows the administrators to extend ignore_group_members to subdomains as well by setting: subdomain_inherit = ignore_group_members in the domain section. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* confdb: Add new option subdomain_inheritJakub Hrozek2015-06-051-1/+19
| | | | | | | | | | | | | | Adds a new option subdomain_inherit that would allow administrators to pick and choose which option to pass to subdomains. This option is required for: https://fedorahosted.org/sssd/ticket/2644 as a short-term fix. The proper solution is described in: https://fedorahosted.org/sssd/ticket/2599 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* AD GPO: Change default to "enforcing"Stephen Gallagher2015-05-282-2/+10
| | | | | | | | | | | | | | | | | When a user enrolls a system against Active Directory, the expectation is that the client will honor the centrally-managed settings. In the past, we avoided changing the default (and left it in permissive mode, to warn admins that the security policy wasn't being honored) in order to avoid breaking existing Active Directory enrollments. However, sufficient time has likely passed for users to become accustomed to using GPOs to manage access-control for their systems. This patch changes the default to enforcing and adds a configure flag for distributions to use if they wish to provide a different default value. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* krb5: new option krb5_map_userPavel Reichl2015-05-281-0/+36
| | | | | | | | | | New option `krb5_map_user` providing mapping of ID provider names to Kerberos principals. Resolves: https://fedorahosted.org/sssd/ticket/2509 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* MAN: refresh_expired_interval also supports users and groupsJakub Hrozek2015-05-181-2/+2
| | | | | Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* LDAP: warn about lockout option being deprecatedPavel Reichl2015-05-141-0/+7
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* LDAP: disable the cleanup task by defaultJakub Hrozek2015-05-121-2/+7
| | | | | | | | | | | | | | | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2627 The cleanup task was designed to keep the cache size within certain limits. This is how it roughly works now: - find users who have never logged in by default. If account_cache_expiration is set, find users who loggged in later than account_cache_expiration - delete the matching set of users - find groups that have no members - delete the matching set of groups So unless account_cache_expiration is set to something sensible, only empty groups and expired users who never logged in are removed and that's quite a corner case. The above effectivelly walks the whole database, especially the groups step is quite slow with a huge database. The whole cleanup task also runs in a single sysdb transaction, which means all other transactions are blocked while the cleanup task crunches the database. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* Add cache_credentials_minimal_first_factor_length config optionSumit Bose2015-05-081-0/+22
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* MAN: Clarify how are GPO mappings called in GPO editorJakub Hrozek2015-04-101-3/+19
| | | | | | https://fedorahosted.org/sssd/ticket/2618 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* MAN: Update ppolicy descriptionPavel Reichl2015-03-271-4/+7
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2612 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
* MAN: Clarify debug_level a bitJakub Hrozek2015-03-241-0/+19
| | | | | | | | | Some users are confused about placement of the debug_level directive or the location of the log files. Clarify both in the man page. Also add a pointer to sss_debuglevel. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* IPA: Remove the ipa_hbac_treat_deny_as optionJakub Hrozek2015-03-241-28/+0
| | | | | | | | | https://fedorahosted.org/sssd/ticket/2603 Since deny rules are no longer supported on the server, the client should no longer support them either. Remove the option. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* SDAP: Make StartTLS bind configurable with ldap_opt_timeoutJakub Hrozek2015-03-231-2/+3
| | | | | | | Related: https://fedorahosted.org/sssd/ticket/1501 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* SDAP: Make password change timeout configurable with ldap_opt_timeoutJakub Hrozek2015-03-231-1/+2
| | | | | | | Related: https://fedorahosted.org/sssd/ticket/1501 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* SDAP: Make simple bind timeout configurableJakub Hrozek2015-03-231-1/+2
| | | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/1501 Reuse the value of sdap_opt_timeout to set a longer bind timeout for user authentication, ID connection authentication and authentication during IPA migration mode. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* MAN: libkrb5 and SSSD use different expansionsPavel Reichl2015-03-131-0/+9
| | | | | | | | | | Users often wrongly use SSSD expansions in libkrb5 expansion template for principals. State explicitly it won't work. Resolves: https://fedorahosted.org/sssd/ticket/2528 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* MAN: default_domain_suffix with use_fully_qualified_names.Michal Zidek2015-03-111-2/+6
| | | | | | https://fedorahosted.org/sssd/ticket/2569 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* SDAP: Lock out ssh keys when account naturally expiresPavel Reichl2015-03-051-0/+14
| | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2534 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SDAP: enable change phase of pw expire policy checkPavel Reichl2015-03-031-0/+27
| | | | | | | | | | | | | Implement new option which does checking password expiration policy in accounting phase. This allows SSSD to issue shadow expiration warning even if alternate authentication method is used. Resolves: https://fedorahosted.org/sssd/ticket/2167 Reviewed-by: Sumit Bose <sbose@redhat.com>
* PAM: new option pam_account_expired_messagePavel Reichl2015-02-231-0/+21
| | | | | | | | | | This option sets string to be printed when authenticating using SSH keys and account is expired. Resolves: https://fedorahosted.org/sssd/ticket/2050 Reviewed-by: Sumit Bose <sbose@redhat.com>
* MAN: amend sss_ssh_authorizedkeysPavel Reichl2015-01-271-2/+3
| | | | | | | Directive AuthorizedKeysCommand should be used in conjunction with AuthorizedKeysCommandUser. Reviewed-by: Jan Cholasta <jcholast@redhat.com>
* AD: add new option ad_sitePavel Reichl2015-01-261-0/+14
| | | | | | | | | This option overrides a result of the automatic site discovery. Resolves: https://fedorahosted.org/sssd/ticket/2486 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* MAN: add dots as valid character in domain namesPavel Reichl2015-01-151-1/+1
| | | | | | | | | Add dots into a set of allowed characters for domain names. Resolves: https://fedorahosted.org/sssd/ticket/2527 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* MAN: dyndns_iface supports only one interfacePavel Reichl2015-01-152-0/+6
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2548 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* MAN: Amend the description of ignore_group_membersJohn Dickerson2015-01-151-1/+19
| | | | | | | | | | | | The option description should hint that enabling this option may have a positive effect on access control, especially with large groups. See https://bugzilla.redhat.com/show_bug.cgi?id=1172338 for an example where ignoring the group members helped. Signed-off-by: Jakub Hrozek <jakub.hrozek@posteo.se> Reviewed-by: Pavel Reichl <preichl@redhat.com>
* GPO: add systemd-user to gpo default permit listPavel Reichl2015-01-151-0/+5
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2556 Reviewed-by: Stephen Gallagher <sgallagh@redhat.com>
* MAN: Remove indentation in element programlisteningLukas Slebodnik2015-01-146-38/+38
| | | | | | | | The indentation is automatically in resulting man page. It isn't necessary to add spaces and moreover it can cause unreadable page asi in case of ad_gpo_map examples. Reviewed-by: Roland Mainz <rmainz@redhat.com>
* MAN: Fix a typoJakub Hrozek2015-01-081-1/+1
| | | | Reviewed-by: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
generated by cgit (git 2.34.1) at 2024-06-09 19:41:14 +0000