sssd.git/src/man, branch master Unnamed repository; edit this file 'description' to name the repository. minor typo fixes 2017-04-19T16:05:34+00:00 René Genz liebundartig@freenet.de 2017-04-19T08:36:12+00:00 0a86dede8773ecce91b5bd2ae75a02f9ff89a358 Merges: https://pagure.io/SSSD/sssd/pull-request/3374 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Justin Stephenson <jstephen@redhat.com> 
Merges: https://pagure.io/SSSD/sssd/pull-request/3374

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Justin Stephenson <jstephen@redhat.com>
KRB5_LOCATOR: add env variable to disable plugin 2017-04-11T15:21:23+00:00 Sumit Bose sbose@redhat.com 2016-11-17T09:55:43+00:00 1193f20a8267e506d863b27c74870c86c085902b If the new environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any value SSSD's krb5 locator plugin is disabled. The variable is needed because there is currently no other way than removing the plugin completely to disable it. For a use-case see e.g. https://bugzilla.redhat.com/show_bug.cgi?id=1072939. Resolves: https://pagure.io/SSSD/sssd/issue/3359 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
If the new environment variable SSSD_KRB5_LOCATOR_DISABLE is set to any
value SSSD's krb5 locator plugin is disabled. The variable is needed
because there is currently no other way than removing the plugin
completely to disable it. For a use-case see e.g.
https://bugzilla.redhat.com/show_bug.cgi?id=1072939.

Resolves:
https://pagure.io/SSSD/sssd/issue/3359

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
secrets: allow to configure certificate check 2017-03-30T17:08:00+00:00 Pavel Březina pbrezina@redhat.com 2017-02-28T10:47:32+00:00 720e1a5b95a953a0f1c8315bbb7c9c1edf9fb417 Some users may want to use TLS with unverified peer (for example if they use self-signed certificate) or if unverified hostname (if certificate hostname does not match with the real hostname). On the other side it may be useful to point to a directory containing custom certificate authorities. This patch add three new options to secrets responder: verify_peer => peer's certificate must be valid verify_host => hostnames must match capath => path to directory containing CA certs cacert => ca certificate cert => client certificate key => client private key Resolves: https://pagure.io/SSSD/sssd/issue/3192 Reviewed-by: Simo Sorce <simo@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> 
Some users may want to use TLS with unverified peer (for example if
they use self-signed certificate) or if unverified hostname (if
certificate hostname does not match with the real hostname). On the
other side it may be useful to point to a directory containing custom
certificate authorities.

This patch add three new options to secrets responder:
verify_peer => peer's certificate must be valid
verify_host => hostnames must match
capath => path to directory containing CA certs
cacert => ca certificate
cert => client certificate
key => client private key

Resolves:
https://pagure.io/SSSD/sssd/issue/3192

Reviewed-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
PAM: Add application services 2017-03-30T12:09:52+00:00 Jakub Hrozek jhrozek@redhat.com 2017-03-26T16:28:41+00:00 3e789aa0bd6b7bb6e62f91458b76753498030fb5 Related to: https://pagure.io/SSSD/sssd/issue/3310 Adds a new PAM responder option 'pam_app_services'. This option can hold a list of PAM services that are allowed to contact the application non-POSIX domains. These services are NOT allowed to contact any of the POSIX domains. Reviewed-by: Sumit Bose <sbose@redhat.com> 
Related to:
https://pagure.io/SSSD/sssd/issue/3310

Adds a new PAM responder option 'pam_app_services'. This option can hold
a list of PAM services that are allowed to contact the application
non-POSIX domains. These services are NOT allowed to contact any of the
POSIX domains.

Reviewed-by: Sumit Bose <sbose@redhat.com>
CONFDB: Allow configuring [application] sections as non-POSIX domains 2017-03-30T12:09:10+00:00 Jakub Hrozek jhrozek@redhat.com 2017-03-27T07:48:46+00:00 825e8bf2f73a815c2eceb36ae805145fcbacf74d Related to: https://pagure.io/SSSD/sssd/issue/3310 Allows to add a new section: [application/$name] This section internally (on the confdb level) expands to: [domain/$name] domain_type = application The reasons to add this new section is two-fold. One, to make the configuration of application domains more explicit and two, to make it possible to share configuration between two domains, one POSIX and one non-POSIX by application domain's inherit_from option: [application/$name] inherit_from = posix_domain_name Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
Related to:
https://pagure.io/SSSD/sssd/issue/3310

Allows to add a new section:
    [application/$name]

This section internally (on the confdb level) expands to:
    [domain/$name]
    domain_type = application

The reasons to add this new section is two-fold. One, to make the
configuration of application domains more explicit and two, to make it
possible to share configuration between two domains, one POSIX and one
non-POSIX by application domain's inherit_from option:
    [application/$name]
    inherit_from = posix_domain_name

Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
CONFDB: Introduce SSSD domain type to distinguish POSIX and application domains 2017-03-30T12:09:02+00:00 Jakub Hrozek jhrozek@redhat.com 2017-03-22T11:53:17+00:00 6324eaf1fb321c41ca9883966118df6d45259b7e Related to: https://pagure.io/SSSD/sssd/issue/3310 Adds a new option that allows to distinguish domains that do contain POSIX users and groups and those that don't. The POSIX domains are the default. The non-POSIX domains are selected by selecting an "application" type domain. Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
Related to:
https://pagure.io/SSSD/sssd/issue/3310

Adds a new option that allows to distinguish domains that do contain
POSIX users and groups and those that don't. The POSIX domains are the
default. The non-POSIX domains are selected by selecting an
"application" type domain.

Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Add domain_resolution_order config option 2017-03-29T12:00:17+00:00 Fabiano Fidêncio fidencio@redhat.com 2017-03-26T01:00:14+00:00 16385568547351b5d2c562f3081f35f3341f695b This is the local equivalent of option of ipaDomainResolutionOrder and has precedence over the ones set on IPA side making the precedence order to be like: Local > View > Globally. As done for the IPA side configurations, the domains which were not explicitly set up will be apennded to the final of the domain_resolution_order list in the very same order they're presented in the "domains" option of [sssd] section in the config file. There's no guarantee of order for the subdomains though. It's also important to mention that no expansion magic is performed on our side. It means that if 'example.com' is set it does *not* stand for all its subdomains DNS wise (like 'foo.example.com', 'bar.example.com', etc). Related: https://pagure.io/SSSD/sssd/issue/3001 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com> 
This is the local equivalent of option of ipaDomainResolutionOrder and
has precedence over the ones set on IPA side making the precedence order
to be like: Local > View > Globally.

As done for the IPA side configurations, the domains which were not
explicitly set up will be apennded to the final of the
domain_resolution_order list in the very same order they're presented in
the "domains" option of [sssd] section in the config file. There's no
guarantee of order for the subdomains though.

It's also important to mention that no expansion magic is performed on
our side. It means that if 'example.com' is set it does *not* stand for
all its subdomains DNS wise (like 'foo.example.com', 'bar.example.com',
etc).

Related:
https://pagure.io/SSSD/sssd/issue/3001

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>

Reviewed-by: Sumit Bose <sbose@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
SUBDOMAINS: Allow use_fully_qualified_names for subdomains 2017-03-29T12:00:17+00:00 Michal Židek mzidek@redhat.com 2017-03-23T12:14:56+00:00 a63d74f65db2db7389cd373cb37adcdaaa2d56ea Allow option use_fully_qualified_names in subdomain section. This option was recently added to subdomain_inherit. Resolves: https://pagure.io/SSSD/sssd/issue/3337 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> 
Allow option use_fully_qualified_names in subdomain section.
This option was recently added to subdomain_inherit.

Resolves:
https://pagure.io/SSSD/sssd/issue/3337

Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
MAN: Add a manual page for sssd-kcm 2017-03-27T07:57:55+00:00 Jakub Hrozek jhrozek@redhat.com 2017-03-08T16:46:09+00:00 ba89271f594e5ed381b4dcb876a2d2787cf51902 Reviewed-by: Michal Židek <mzidek@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
certmap: add new library libsss_certmap 2017-03-23T16:18:35+00:00 Sumit Bose sbose@redhat.com 2017-02-02T10:24:02+00:00 db36dca3d45e6eefbb30042ee65876566f1a6014 With this library it would be possible to map certificates and users not only by adding the full certificate to the user's LDAP object but by adding e.g. only parts like the issuer and subject name. Additionally the library is also able to flexible select/match certificates based on values in the certificate. Details about mapping and matching rules can be found in the included man page. Related to https://pagure.io/SSSD/sssd/issue/3050 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> 
With this library it would be possible to map certificates and users not
only by adding the full certificate to the user's LDAP object but by
adding e.g. only parts like the issuer and subject name. Additionally
the library is also able to flexible select/match certificates based on
values in the certificate.

Details about mapping and matching rules can be found in the included
man page.

Related to https://pagure.io/SSSD/sssd/issue/3050

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>