sssd.git/src/config/etc, branch sudo Unnamed repository; edit this file 'description' to name the repository. CONFIG: Fix schema for try_inotify 2017-09-13T07:50:17+00:00 Lukas Slebodnik lslebodn@redhat.com 2017-09-12T08:45:16+00:00 895584001760e8188db486bc39f9938624822d35 It is read only from "[sssd]" section. Resolves: https://pagure.io/SSSD/sssd/issue/3511 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
It is read only from "[sssd]" section.

Resolves:
https://pagure.io/SSSD/sssd/issue/3511

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
SECRETS: Add a new option to control per-UID limits 2017-09-01T18:26:45+00:00 Jakub Hrozek jhrozek@redhat.com 2017-06-05T14:10:55+00:00 6b3bab516355fdf4cc81e6da9d87ec3818ab190f Adds a new option max_uid_secrets that allows to set a limit of secrets for this particular client so that the user cannot starve other users. Resolves: https://pagure.io/SSSD/sssd/issue/3363 Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> 
Adds a new option max_uid_secrets that allows to set a limit of secrets
for this particular client so that the user cannot starve other users.

Resolves:
https://pagure.io/SSSD/sssd/issue/3363

Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
DESKPROFILE: Add ipa_deskprofile_request_interval 2017-08-28T18:42:27+00:00 Fabiano Fidêncio fidencio@redhat.com 2017-08-17T17:49:22+00:00 4a311702045b065a97a0c0fc0ccc7a1fc84b38cf This option has been added to avoid contacting the Data Provider when no rules were found in the previous request. By adding this configurable option we avoid contacting the Data Provider too often in the case described above and also when the server doesn't support Desktop Profile's integration. Resolves: https://pagure.io/SSSD/sssd/issue/3482 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
This option has been added to avoid contacting the Data Provider when no
rules were found in the previous request.

By adding this configurable option we avoid contacting the Data Provider
too often in the case described above and also when the server doesn't
support Desktop Profile's integration.

Resolves: https://pagure.io/SSSD/sssd/issue/3482

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
DESKPROFILE: Introduce the new IPA session provider 2017-08-28T18:41:04+00:00 Fabiano Fidêncio fidencio@redhat.com 2016-11-01T23:15:16+00:00 f982039c75ec064894deb676ae53ee57de868590 In order to provide FleetCommander[0] integration, a session provider has been introduced for IPA. The design of this feature and more technical details can be found at [1] and [2], which are the design pages of both freeIPA and SSSD parts. As there's no way to test freeIPA integration with our upstream tests, no test has been provided yet. Is also worth to mention that the name "deskprofile" has been chosen instead of "fleetcmd" in order to match with the freeIPA plugin. It means that, for consistence, all source files, directories created, options added, functions prefixes and so on are following the choice accordingly. [0]: https://wiki.gnome.org/Projects/FleetCommander [1]: https://github.com/abbra/freeipa-desktop-profile/blob/master/plugin/Feature.mediawiki [2]: https://docs.pagure.org/SSSD.sssd/design_pages/fleet_commander_integration.html Resolves: https://pagure.io/SSSD/sssd/issue/2995 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
In order to provide FleetCommander[0] integration, a session provider
has been introduced for IPA. The design of this feature and more
technical details can be found at [1] and [2], which are the design
pages of both freeIPA and SSSD parts.

As there's no way to test freeIPA integration with our upstream tests,
no test has been provided yet.

Is also worth to mention that the name "deskprofile" has been chosen
instead of "fleetcmd" in order to match with the freeIPA plugin. It
means that, for consistence, all source files, directories created,
options added, functions prefixes and so on are following the choice
accordingly.

[0]: https://wiki.gnome.org/Projects/FleetCommander
[1]: https://github.com/abbra/freeipa-desktop-profile/blob/master/plugin/Feature.mediawiki
[2]: https://docs.pagure.org/SSSD.sssd/design_pages/fleet_commander_integration.html

Resolves:
https://pagure.io/SSSD/sssd/issue/2995

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
sudo: add a threshold option to reduce size of rules refresh filter 2017-08-18T06:52:25+00:00 Pavel Březina pbrezina@redhat.com 2017-07-11T10:41:57+00:00 a5f300adf19ec9c3087c62bd93a5175db799687a If a large number of rules is expired at one time the ldap filter may become too large to be processed by server. This commits adds a new option "sudo_threshold" to sudo responder. If the threshold is exceeded a full refreshed is done instead of rules refresh. Resolves: https://pagure.io/SSSD/sssd/issue/3478 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> 
If a large number of rules is expired at one time the ldap filter may
become too large to be processed by server. This commits adds a new
option "sudo_threshold" to sudo responder. If the threshold is
exceeded a full refreshed is done instead of rules refresh.

Resolves:
https://pagure.io/SSSD/sssd/issue/3478

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
CONFIG: Add session_recording section 2017-07-27T08:32:21+00:00 Nikolai Kondrashov Nikolai.Kondrashov@redhat.com 2016-12-20T08:16:47+00:00 555f43b491f40e0237b8677565a748b929092bee Add information on "session_recording" config section, having three options: "scope", "users", and "groups". The section is intended for disabling session recording ("scope = none", default), enabling session recording for all users ("scope = all"), and enabling it for some specific users and/or groups ("scope = some", "users = <users>", "groups = <groups>"). Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
Add information on "session_recording" config section, having three
options: "scope", "users", and "groups".

The section is intended for disabling session recording ("scope = none",
default), enabling session recording for all users ("scope = all"), and
enabling it for some specific users and/or groups ("scope = some",
"users = <users>", "groups = <groups>").

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
CONFIG: Add subdomain_homedir to config locations 2017-05-26T12:40:06+00:00 Justin Stephenson jstephen@redhat.com 2017-05-22T19:21:17+00:00 beab60d88fc07d463f6fb3756c8f3d29bdd78827 Option subdomain_homedir was missing from Python config API an cfg_rules leading to config file validation failures. Add this option into the necessary locations similar to other provider-generic domain options. Resolves: https://pagure.io/SSSD/sssd/issue/3389 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> 
Option subdomain_homedir was missing from Python config API an
cfg_rules leading to config file validation failures. Add this option
into the necessary locations similar to other provider-generic domain
options.

Resolves:
https://pagure.io/SSSD/sssd/issue/3389

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Use correct spelling of override 2017-04-28T12:57:08+00:00 René Genz liebundartig@freenet.de 2017-04-25T20:33:58+00:00 352f4832324839d358235de1236090b1fd4ddc0f Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
secrets: allow to configure certificate check 2017-03-30T17:08:00+00:00 Pavel Březina pbrezina@redhat.com 2017-02-28T10:47:32+00:00 720e1a5b95a953a0f1c8315bbb7c9c1edf9fb417 Some users may want to use TLS with unverified peer (for example if they use self-signed certificate) or if unverified hostname (if certificate hostname does not match with the real hostname). On the other side it may be useful to point to a directory containing custom certificate authorities. This patch add three new options to secrets responder: verify_peer => peer's certificate must be valid verify_host => hostnames must match capath => path to directory containing CA certs cacert => ca certificate cert => client certificate key => client private key Resolves: https://pagure.io/SSSD/sssd/issue/3192 Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Some users may want to use TLS with unverified peer (for example if
they use self-signed certificate) or if unverified hostname (if
certificate hostname does not match with the real hostname). On the
other side it may be useful to point to a directory containing custom
certificate authorities.

This patch add three new options to secrets responder:
verify_peer => peer's certificate must be valid
verify_host => hostnames must match
capath => path to directory containing CA certs
cacert => ca certificate
cert => client certificate
key => client private key

Resolves:
https://pagure.io/SSSD/sssd/issue/3192

Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
PAM: Add application services 2017-03-30T12:09:52+00:00 Jakub Hrozek jhrozek@redhat.com 2017-03-26T16:28:41+00:00 3e789aa0bd6b7bb6e62f91458b76753498030fb5 Related to: https://pagure.io/SSSD/sssd/issue/3310 Adds a new PAM responder option 'pam_app_services'. This option can hold a list of PAM services that are allowed to contact the application non-POSIX domains. These services are NOT allowed to contact any of the POSIX domains. Reviewed-by: Sumit Bose <sbose@redhat.com> 
Related to:
https://pagure.io/SSSD/sssd/issue/3310

Adds a new PAM responder option 'pam_app_services'. This option can hold
a list of PAM services that are allowed to contact the application
non-POSIX domains. These services are NOT allowed to contact any of the
POSIX domains.

Reviewed-by: Sumit Bose <sbose@redhat.com>