From 72a36ddec46744a6aa1443f62066c1d9e422b190 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Thu, 28 May 2009 22:47:48 +0200 Subject: sssd.conf(5) man page --- server/Makefile.am | 2 +- server/man/sssd.conf.5.xml | 654 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 655 insertions(+), 1 deletion(-) create mode 100644 server/man/sssd.conf.5.xml diff --git a/server/Makefile.am b/server/Makefile.am index 5fdec42fe..e38f1befe 100644 --- a/server/Makefile.am +++ b/server/Makefile.am @@ -400,7 +400,7 @@ XSLTPROC_FLAGS = --catalogs --xinclude --nonet dist_man_MANS = man/sss_useradd.8 man/sss_userdel.8 man/sss_usermod.8 \ man/sss_groupadd.8 man/sss_groupdel.8 man/sss_groupmod.8 \ - man/sssd.8 + man/sssd.8 man/sssd.conf.5 SUFFIXES = .1.xml .1 .3.xml .3 .5.xml .5 .8.xml .8 .1.xml.1: diff --git a/server/man/sssd.conf.5.xml b/server/man/sssd.conf.5.xml new file mode 100644 index 000000000..94efe1848 --- /dev/null +++ b/server/man/sssd.conf.5.xml @@ -0,0 +1,654 @@ + + + +SSSD Manual pages + + + + + sssd.conf + 5 + File Formats and Conventions + + + + sssd.conf + the configuration file for SSSD + + + + FILE FORMAT + + + The file has an ini-style syntax and consists of sections and + parameters. A section begins with the name of the section in + square brackets and continues until the next section begins. An + example of section with single and multi-valued parameters: + + [section] + key = value + key2 = value2,value3 + + + + + The data types used are string (no quotes needed), integer + and bool (with values of TRUE/FALSE). + + + + A line comment starts with a hash sign (#) or a + semicolon (;) + + + + All sections can have an optional + description parameter. Its function + is only as a label for the section. + + + + + SPECIAL SECTIONS + + + The [services] section + + Individual pieces of SSSD functionality are provided by special + SSSD services that are started and stopped together with SSSD. + The services are managed by a special service called + monitor. + + Section parameters + + activeServices + + + Comma separated list of services that are + started when sssd itself starts. Since Data + Provider (dp) is a required + service, it will be started even if omitted. + + + Default: dp + + + Supported services: dp, nss, pam + + + + + reconnection_retries + + + Number of times services should attempt to + reconnect in the event of a Data Provider + crash or restart before they give up + + + Default: 3 + + + + + + + + + The [domains] section + + A domain is a database containing user information. SSSD can + use more domains at the same time, but at least one must + be configured or SSSD won't start. + + + Section parameters + + domains + + + The list of domains in the order you want them + to be queried + + + + + + + + The [names] section + + This section allows to configure how a name, or a fully qualified + name looks like. These settings are used by both the PAM and NSS + responders. + + + Section parameters + + re-expression (string) + + + Regular expression that describes how to parse the string + containing user name and domain into these components. + + + Default: (?<name>[^@]+)@?(?<domain>[^@]*$) + which translates to "the name is everything up to the + @ sign, the domain everything after that" + + + + + full-name-format (string) + + + A + printf + 3 + -compatible format that describes how to + translate a (name, domain) tuple into a fully qualified + name. + + + Default: %1$s@%2$s. + + + + + + + + The [user_defaults] section + + This section contains settings that alter default values used + when adding a user with SSSD userspace tools (sss_useradd). + + + Section parameters + + defaultShell (string) + + + The default shell for users created + with SSSD userspace tools. + + + Default: /bin/bash + + + + + baseDirectory (string) + + + The tools append the login name to + baseDirectory and + use that as the home directory. + + + Default: /home + + + + + + + + + + SERVICES SECTIONS + + Settings that can be used to configure different services + are described in this section. They should reside in the + [services/NAME] section, for example, + for NSS service, the section would be [services/nss] + + + + General service configuration options + + These options can be used to configure any service. + + + + debug-level (integer) + + + Sets the debug level for the service. The + value can be in range from 0 (only critical + messages) to 10 (very verbose). + + + Default: 0 + + + + + reconnection_retries (integer) + + + Number of times services should attempt to + reconnect in the event of a Data Provider + crash or restart before they give up + + + Default: 3 + + + + + command (string) + + + By default, the executable + representing this service is called + sssd_${service_name}. + This directive allows to change the executable + name for the service. In the vast majority of + configurations, the default values should suffice. + + + Default: sssd_${service_name} + + + + + + + + Monitor configuration options + + Monitor is the central controller of the SSSD. It is + responsible for running all the other services that provide + specific pieces of functionality. + + + + sbusAddress (string) + + + The services in sssd communicate over an internal + wrapper on top of D-Bus called S-Bus. This + directive can be used to specify the address + to connect to. The vast majority of configurations + will not need to change this setting. + + + + + sbusTimeout (string) + + + Specifies the timeout for messages sent over the SBUS. + + + Default: -1 (implies a reasonable timeout as defined + by the D-BUS library) + + + + + + + + NSS configuration options + + These options can be used to configure the + Name Service Switch (NSS) service. + + + + EnumCacheTimeout (integer) + + + How long should nss_sss cache enumerations + (requests for info about all users) + + + Default: 120 + + + + + EntryCacheTimeout (integer) + + + How long should nss_sss cache positive cache hits + (that is, queries for valid database entries) before + asking the backend again + + + Default: 600 + + + + + EntryNegativeTimeout (integer) + + + How long should nss_sss cache negative cache hits + (that is, queries for invalid database entries, like + nonexistent ones) before asking the backend again + + + Default: 15 + + + + + filterUsers, filterGroups (string) + + + Exclude certain users from being fetched from the sss + NSS database. This is particulary useful for system + accounts like root. + + + + + + + + + DOMAIN SECTIONS + + These configuration options can be present in a domain + configuration section, that is, in a section called + [domains/NAME] + + + minId,maxId (integer) + + + UID limits for the domain. If a domain contains + entry that is outside these limits, it is ignored + + + Default: 0 (no limit) + + + + + + timeout (integer) + + + Timeout in seconds for this particular domain. + Raising this timeout might prove useful for slower + backends like distant LDAP servers. + + + Default: 0 (no timeout) + + + + + + magicPrivateGroups (bool) + + + By using the Magic Private Groups option, you + are imposing two limitations to the ID space + and name space: + + + 1. Users and groups in the domain share a common + name space. There can never be an explicit group + with the same name as a user + + + 2. Users and groups share a common ID + space, there can never be an explicit group with + a same ID as a user + + + Using Magic Private groups bring the benefit of + better Windows Interoperability (in Windows, + the ID and name spaces are unique) and also + avoids creating a group for every user, + thus cluttering the group space. Also, for + NSS calls, every user is actually returned + as user's private group without having to + explicitly create the group, thus having the + same effect as User Private Groups + + + Default: FALSE + + + + + + enumerate (integer) + + + Determines if a domain can be enumerated. This + parameter can have one of the following values: + + + 0 = No enumeration + + + 1 = Enumerate users + + + 2 = Enumerate groups + + + 3 = Enumerate both + + + Default: 0 + + + + + + cache-credentials (bool) + + + Determines if user credentials are also cached + in the local LDB cache + + + Default: FALSE + + + + + + legacy (bool) + + + A legacy domain is a strictly POSIX domain in + terms of attributes it supports. Groups in legacy + domains can't be nested. + + + Default: FALSE + + + + + + store-legacy-passwords (bool) + + + Whether to also store passwords in a legacy domain + + + Default: FALSE + + + + + + provider (string) + + + The Data Provider backend to use for this domain. + + + Supported backends: + + + proxy: Support a legacy NSS provider + + + local: SSSD internal local provider + + + ldap: LDAP provider + + + + + + useFullyQualifiedNames (bool) + + + If set to TRUE, all requests to this domain + must use fully qualified names. For example, + if used in LOCAL domain that contains a "test" + user, getent passwd test + wouldn't find the user while getent + passwd test@LOCAL would. + + + Default: FALSE + + + + + + + + Options valid for proxy domains. + + + + auth-module (string) + + + The authentication module used. Two + authentication modules are provided - + ldap for native LDAP authentication + and proxy, used for relaying + authentication to some other PAM target. + + + + + + pam-target (string) + + + The proxy target PAM proxies to. + + + Default: sssd_pam_proxy_default + + + + + + libName (string) + + + The name of the NSS library to use in proxy + domains. The NSS functions searched for in the + library are in the form of + _nss_$(libName)_$(function), for example + _nss_files_getpwent. + + + + + + libPath (string) + + + File name (including .so) of NSS library + used. For instance, ldap NSS library is named + libnss_ldap.so, the standard files NSS library + is named libnss_files.so + + + + + + + + + EXAMPLE + + The following example shows a typical SSSD config. It does + not describe configuration of the domains themselves - refer to + documentation on configuring domains for more details. + +[services] +description = Local Service Configuration +activeServices = nss, pam +reconnection_retries = 3 + +[services/nss] +description = NSS Responder Configuration +filterGroups = root +filterUsers = root +debug-level = 4 + +[services/dp] +description = Data Provider Configuration +debug-level = 4 + +[services/pam] +description = PAM Responder Configuration + +[services/monitor] +description = Service Monitor Configuration + +[domains] +description = Domains served by SSSD +domains = LOCAL + +[domains/LOCAL] +description = LOCAL Users domain +enumerate = 3 +minId = 5000 +maxId = 30000 +legacy = FALSE +magicPrivateGroups = TRUE +provider = local + + + + + + SEE ALSO + + + sssd.conf5 + , + + sss_groupadd8 + , + + sss_groupdel8 + , + + sss_groupmod8 + , + + sss_useradd8 + , + + sss_userdel8 + , + + sss_usermod8 + . + + + + -- cgit