p11: add missing man page entry and config API

The pam_cert_auth and pam_cert_db_path option where missing in the
config API and had no man page entries.

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

2 files changed, 4 insertions, 0 deletions

diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index 1a0893cbc..e7bf43dfd 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -92,6 +92,8 @@ option_strings = {
     'pam_public_domains' : _('List of domains accessible even for untrusted users.'),
     'pam_account_expired_message' : _('Message printed when user account is expired.'),
     'pam_account_locked_message' : _('Message printed when user account is locked.'),
+    'pam_cert_auth' : _('Allow certificate based/Smartcard authentication.'),
+    'pam_cert_db_path' : _('Path to certificate databse with PKCS#11 modules.'),
     'p11_child_timeout' : _('How many seconds will pam_sss wait for p11_child to finish'),
 
     # [sudo]
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
index a15f2bd05..a0a82543f 100644
--- a/src/config/etc/sssd.api.conf
+++ b/src/config/etc/sssd.api.conf
@@ -62,6 +62,8 @@ pam_trusted_users = str, None, false
 pam_public_domains = str, None, false
 pam_account_expired_message = str, None, false
 pam_account_locked_message = str, None, false
+pam_cert_auth = bool, None, false
+pam_cert_db_path = str, None, false
 p11_child_timeout = int, None, false
 
 [sudo]