From 770dc892f867639f36f84455d65be6287935a529 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Thu, 2 Jan 2014 17:23:08 +0100 Subject: IFP: Per-attribute ACL for users MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Introduces a new option called user_attributes that allows to specify which user attributes are allowed to be queried from the IFP responder. By default only the default POSIX set is allowed, this option allows to either add other attributes (+attrname) or remove them from the default set (-attrname). Reviewed-by: Pavel Březina --- src/man/sssd-ifp.5.xml | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) (limited to 'src/man/sssd-ifp.5.xml') diff --git a/src/man/sssd-ifp.5.xml b/src/man/sssd-ifp.5.xml index 7e2ea7cfc..867c117ed 100644 --- a/src/man/sssd-ifp.5.xml +++ b/src/man/sssd-ifp.5.xml @@ -69,6 +69,68 @@ + + + user_attributes (string) + + + Specifies the comma-separated list of white + or blacklisted attributes. + + + By default, the InfoPipe responder only + allows the default set of POSIX attributes to + be requested. This set is the same as returned by + + getpwnam + 3 + + and includes: + + + name + user's login name + + + uidNumber + user ID + + + gidNumber + primary group ID + + + gecos + user information, typically full name + + + homeDirectory + home directory + + + loginShell + user shell + + + + + It is possible to add another attribute to + this set by using +attr_name + or explicitly remove an attribute using + -attr_name. For example, to + allow telephoneNumber but deny + loginShell, you would use the + following configuration: + +user_attributes = +telephoneNumber, -loginShell + + + + Default: not set. Only the default set of + POSIX attributes is allowed. + + + -- cgit