From 1c48b5a62f73234ed26bb20f0ab345ab61cda0ab Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Thu, 18 Feb 2010 07:49:04 -0500 Subject: Rename server/ directory to src/ Also update BUILD.txt --- server/man/sssd.conf.5.xml | 808 --------------------------------------------- 1 file changed, 808 deletions(-) delete mode 100644 server/man/sssd.conf.5.xml (limited to 'server/man/sssd.conf.5.xml') diff --git a/server/man/sssd.conf.5.xml b/server/man/sssd.conf.5.xml deleted file mode 100644 index 7b240c8f4..000000000 --- a/server/man/sssd.conf.5.xml +++ /dev/null @@ -1,808 +0,0 @@ - - - -SSSD Manual pages - - - - - sssd.conf - 5 - File Formats and Conventions - - - - sssd.conf - the configuration file for SSSD - - - - FILE FORMAT - - - The file has an ini-style syntax and consists of sections and - parameters. A section begins with the name of the section in - square brackets and continues until the next section begins. An - example of section with single and multi-valued parameters: - - [section] - key = value - key2 = value2,value3 - - - - - The data types used are string (no quotes needed), integer - and bool (with values of TRUE/FALSE). - - - - A line comment starts with a hash sign (#) or a - semicolon (;) - - - - All sections can have an optional - description parameter. Its function - is only as a label for the section. - - - - sssd.conf must be a regular file, owned by - root and only root may read from or write to the file. - - - - - SPECIAL SECTIONS - - - The [sssd] section - - Individual pieces of SSSD functionality are provided by special - SSSD services that are started and stopped together with SSSD. - The services are managed by a special service frequently called - monitor. The [sssd] section is used - to configure the monitor as well as some other important options - like the identity domains. - - Section parameters - - config_file_version (integer) - - - Indicates what is the syntax of the config - file. SSSD 0.6.0 and later use version 2. - - - - - services - - - Comma separated list of services that are - started when sssd itself starts. - - - Supported services: nss, pam - - - - - reconnection_retries (integer) - - - Number of times services should attempt to - reconnect in the event of a Data Provider - crash or restart before they give up - - - Default: 3 - - - - - domains - - - A domain is a database containing user - information. SSSD can use more domains - at the same time, but at least one - must be configured or SSSD won't start. - This parameter described the list of domains - in the order you want them to be queried. - - - - - re_expression (string) - - - Regular expression that describes how to parse the string - containing user name and domain into these components. - - - Default: (?P<name>[^@]+)@?(?P<domain>[^@]*$) - which translates to "the name is everything up to the - @ sign, the domain everything after that" - - - PLEASE NOTE: the support for non-unique named - subpatterns is not available on all plattforms - (e.g. RHEL5 and SLES10). Only plattforms with - libpcre version 7 or higher can support non-unique - named subpatterns. - - - PLEASE NOTE ALSO: older version of libpcre only - support the Python syntax (?P<name>) to label - subpatterns. - - - - - full_name_format (string) - - - A - printf - 3 - -compatible format that describes how to - translate a (name, domain) tuple into a fully qualified - name. - - - Default: %1$s@%2$s. - - - - - - - - - - - SERVICES SECTIONS - - Settings that can be used to configure different services - are described in this section. They should reside in the - [$NAME] section, for example, - for NSS service, the section would be [nss] - - - - General service configuration options - - These options can be used to configure any service. - - - - debug_level (integer) - - - Sets the debug level for the service. The - value can be in range from 0 (only critical - messages) to 10 (very verbose). - - - Default: 0 - - - - - debug_timestamps (bool) - - - Add a timestamp to the debug messages - - - Default: true - - - - - reconnection_retries (integer) - - - Number of times services should attempt to - reconnect in the event of a Data Provider - crash or restart before they give up - - - Default: 3 - - - - - command (string) - - - By default, the executable - representing this service is called - sssd_${service_name}. - This directive allows to change the executable - name for the service. In the vast majority of - configurations, the default values should suffice. - - - Default: sssd_${service_name} - - - - - - - - NSS configuration options - - These options can be used to configure the - Name Service Switch (NSS) service. - - - - enum_cache_timeout (integer) - - - How many seconds should nss_sss cache enumerations - (requests for info about all users) - - - Default: 120 - - - - - entry_cache_nowait_percentage (integer) - - - The entry cache can be set to automatically update - entries in the background if they are requested - beyond a percentage of the entry_cache_timeout - value for the domain. - - - For example, if the domain's entry_cache_timeout - is set to 30s and entry_cache_nowait_percentage is - set to 50 (percent), entries that come in after 15 - seconds past the last cache update will be - returned immediately, but the SSSD will go and - update the cache on its own, so that future - requests will not need to block waiting for a - cache update. - - - Valid values for this option are 0-99 and - represent a percentage of the entry_cache_timeout - for each domain. For performance reasons, this - percentage will never reduce the nowait timeout to - less than 10 seconds. - (0 disables this feature) - - - Default: 0 - - - - - entry_negative_timeout (integer) - - - Specifies for how long nss_sss should cache - negative cache hits (that is, queries for - invalid database entries, like nonexistent ones) - before asking the back end again. - - - Default: 15 - - - - - filter_users, filter_groups (string) - - - Exclude certain users from being fetched from the sss - NSS database. This is particulary useful for system - accounts. - - - Default: root - - - - - filter_users_in_groups (bool) - - - If you want filtered user still be group members - set this option to false. - - - Default: true - - - - - - - PAM configuration options - - These options can be used to configure the - Pluggable Authentication Module (PAM) service. - - - - offline_credentials_expiration (integer) - - - If the authentication provider is offline, how - long should we allow cached logins (in days since - the last successful online login). - - - Default: 0 (No limit) - - - - - - offline_failed_login_attempts (integer) - - - If the authentication provider is offline, how - many failed login attempts are allowed. - - - Default: 0 (No limit) - - - - - - offline_failed_login_delay (integer) - - - The time in minutes which has to pass after - offline_failed_login_attempts has been reached - before a new login attempt is possible. - - - If set to 0 the user cannot authenticate offline if - offline_failed_login_attempts has been reached. Only - a successful online authentication can enable - enable offline authentication again. - - - Default: 5 - - - - - - - - - DOMAIN SECTIONS - - These configuration options can be present in a domain - configuration section, that is, in a section called - [domain/NAME] - - - min_id,max_id (integer) - - - UID limits for the domain. If a domain contains - entry that is outside these limits, it is ignored - - - Default: 1000 for min_id, 0 (no limit) for max_id - - - - - - timeout (integer) - - - Timeout in seconds between heartbeats for this domain. - This is used to ensure that the backend process is - alive and capable of answering requests. - - - Default: 10 - - - - - - enumerate (bool) - - - Determines if a domain can be enumerated. This - parameter can have one of the following values: - - - TRUE = Users and groups are enumerated - - - FALSE = No enumerations for this domain - - - Default: TRUE - - - - - - entry_cache_timeout (integer) - - - How many seconds should nss_sss consider - entries valid before asking the backend again - - - Default: 600 - - - - - cache_credentials (bool) - - - Determines if user credentials are also cached - in the local LDB cache - - - Default: FALSE - - - - - - id_provider (string) - - - The Data Provider identity backend to use for this - domain. - - - Supported backends: - - - proxy: Support a legacy NSS provider - - - local: SSSD internal local provider - - - ldap: LDAP provider - - - - - - use_fully_qualified_names (bool) - - - If set to TRUE, all requests to this domain - must use fully qualified names. For example, - if used in LOCAL domain that contains a "test" - user, getent passwd test - wouldn't find the user while getent - passwd test@LOCAL would. - - - Default: FALSE - - - - - auth_provider (string) - - - The authentication provider used for the domain. - Supported auth providers are: - - - ldap for native LDAP authentication. See - - sssd-ldap - 5 - for more information on configuring LDAP. - - - krb5 for Kerberos authentication. See - - sssd-krb5 - 5 - for more information on configuring Kerberos. - - - proxy for relaying authentication to some other PAM target. - - - none disables authentication explicitly. - - - Default: id_provider is used if it - is set and can handle authentication requests. - - - - - access_provider (string) - - - The access control provider used for the domain. - There are two built-in access providers (in - addition to any included in installed backends) - Internal special providers are: - - - permit always allow access. - - - deny always deny access. - - - Default: permit - - - - - chpass_provider (string) - - - The provider which should handle change password - operations for the domain. - Supported change password providers are: - - - ldap to change a password stored - in a LDAP server. See - - sssd-ldap - 5 - for more information on configuring LDAP. - - - krb5 to change the Kerberos - password. See - - sssd-krb5 - 5 - for more information on configuring Kerberos. - - - proxy for relaying password changes - to some other PAM target. - - - none disallows password changes explicitly. - - - Default: auth_provider is used if it - is set and can handle change password requests. - - - - - - - - Options valid for proxy domains. - - - - proxy_pam_target (string) - - - The proxy target PAM proxies to. - - - Default: not set by default, you have to take an - existing pam configuration or create a new one and - add the service name here. - - - - - - proxy_lib_name (string) - - - The name of the NSS library to use in proxy - domains. The NSS functions searched for in the - library are in the form of - _nss_$(libName)_$(function), for example - _nss_files_getpwent. - - - - - - - - The local domain section - - This section contains settings for domain that stores users and - groups in SSSD native database, that is, a domain that uses - id_provider=local. - - - Section parameters - - default_shell (string) - - - The default shell for users created - with SSSD userspace tools. - - - Default: /bin/bash - - - - - base_directory (string) - - - The tools append the login name to - base_directory and - use that as the home directory. - - - Default: /home - - - - - create_homedir (bool) - - - Indicate if a home directory should be created by default for new users. - Can be overriden on command line. - - - Default: TRUE - - - - - remove_homedir (bool) - - - Indicate if a home directory should be removed by default for deleted users. - Can be overriden on command line. - - - Default: TRUE - - - - - homedir_umask (integer) - - - Used by - - sss_useradd - 8 - to specify the default permissions on a newly created - home directory. - - - Default: 077 - - - - - skel_dir (string) - - - The skeleton directory, which contains files - and directories to be copied in the user's - home directory, when the home directory is - created by - - sss_useradd - 8 - - - - Default: /etc/skel - - - - - mail_dir (string) - - - The mail spool directory. This is needed to - manipulate the mailbox when its corresponding - user account is modified or deleted. - If not specified, a default - value is used. - - - Default: /var/mail - - - - - - - - - - EXAMPLE - - The following example shows a typical SSSD config. It does - not describe configuration of the domains themselves - refer to - documentation on configuring domains for more details. - -[sssd] -domains = LDAP -services = nss, pam -config_file_version = 2 - -[nss] -filter_groups = root -filter_users = root - -[pam] - -[domain/LDAP] -id_provider = ldap -ldap_uri = ldap://ldap.example.com -ldap_search_base = dc=example,dc=com - -auth_provider = krb5 -krb5_kdcip = kerberos.example.com -krb5_realm = EXAMPLE.COM -cache_credentials = true - -min_id = 10000 -max_id = 20000 -enumerate = true - - - - - - SEE ALSO - - - sssd-ldap5 - , - - sssd-krb55 - , - - sss_groupadd8 - , - - sss_groupdel8 - , - - sss_groupmod8 - , - - sss_useradd8 - , - - sss_userdel8 - , - - sss_usermod8 - , - - pam_sss8 - . - - - - -- cgit