summaryrefslogtreecommitdiffstats
path: root/src/config/etc
Commit message (Collapse)AuthorAgeFilesLines
* config: Add config_file_version to schemaMichal Židek2016-07-121-0/+1
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/3068 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* config: Allow timeout for all sevicesMichal Židek2016-07-121-1/+1
| | | | | | | | | | Allow option "timeout" for all sevices. Also remove unused macro CONFDB_SERVICE_TIMEOUT. Resolves: https://fedorahosted.org/sssd/ticket/3068 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* config: Fix user_attributesMichal Židek2016-07-121-1/+1
| | | | | | | | | | Fixes: https://fedorahosted.org/sssd/ticket/3068 Option user_attributes is also available in NSS responder, but not in PAC responder. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* config: override_space is monitor's optionMichal Židek2016-07-121-1/+1
| | | | | | | | | | We read override_space from [sssd] not [nss] section. Resolves: https://fedorahosted.org/sssd/ticket/3068 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* DEBUG: Add `debug` alias for debug_levelStephen Gallagher2016-06-161-0/+2
| | | | | | | | | | | | | Our users constantly make the mistake of typing `debug = 9` in the sssd.conf instead of `debug_level = 9` as would be correct. This happens frequently-enough that we should just alias it rather than continue to have people make mistakes. Resolves: https://fedorahosted.org/sssd/ticket/2999 Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Petr Cech <pcech@redhat.com>
* RESPONDERS: Negative caching of local usersPetr Cech2016-06-101-0/+1
| | | | | | | | | | | This patch adds new option 'neg_cache_locals_timeout' into section of NSS responder. It allows negative caching of local groups and users. Default value is 0 which means no caching. Resolves: https://fedorahosted.org/sssd/ticket/2928 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* p11: add missing man page entry and config APISumit Bose2016-06-091-0/+2
| | | | | | | The pam_cert_auth and pam_cert_db_path option where missing in the config API and had no man page entries. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* PAC: only save PAC blob into the cacheSumit Bose2016-04-131-0/+1
| | | | | | Resolves https://fedorahosted.org/sssd/ticket/2158 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* IPA SUDO: download externalUser attributePavel Březina2016-03-091-0/+1
| | | | | | | | | | This allows configuration with id_provider = proxy and sudo_provider = ipa when someone needs to fetch rules for local users. https://fedorahosted.org/sssd/ticket/2972 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Add a new option ldap_group_external_memberJakub Hrozek2016-02-243-0/+3
| | | | | | | Required for: https://fedorahosted.org/sssd/ticket/2522 Reviewed-by: Sumit Bose <sbose@redhat.com>
* PAM: Pass account lockout status and display messagePavel Reichl2016-02-171-0/+1
| | | | | | | | | Tested against Windows Server 2012. Resolves: https://fedorahosted.org/sssd/ticket/2839 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IDMAP: Add support for automatic adding of rangesPavel Reichl2016-01-203-0/+3
| | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2188 Reviewed-by: Sumit Bose <sbose@redhat.com>
* AD: add task to renew the machine account password if neededSumit Bose2016-01-191-0/+2
| | | | | | | | | | | | | | | | | | AD expects its clients to renew the machine account password on a regular basis, be default every 30 days. Even if a client does not renew the password it might not cause issues because AD does not enforce the renewal. But the password age might be used to identify unused machine accounts in large environments which might get disabled or deleted automatically. With this patch SSSD calls an external program to check the age of the machine account password and renew it if needed. Currently 'adcli' is used as external program which is able to renew the password since version 0.8.0. Resolves https://fedorahosted.org/sssd/ticket/1041 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* IPA SUDO: Add support for ipaSudoRunAsExt* attributesPavel Březina2016-01-191-0/+3
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA SUDO: Add ipasudocmd mappingPavel Březina2016-01-191-0/+4
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA SUDO: Add ipasudocmdgrp mappingPavel Březina2016-01-191-0/+5
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA SUDO: Add ipasudorule mappingPavel Březina2016-01-191-0/+20
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* AD: Add autofs providerJakub Hrozek2015-11-261-0/+9
| | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/1632 Adds the possibility to configure: autofs_provider = ad The AD autofs provider uses the rfc2307 (nis*) attribute maps. This is different (at the moment) from using autofs_provider=ldap with ldap_schema=ad. Reviewed-by: Ondrej Valousek <ondrejv2@fedoraproject.org> Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* p11: enable ocsp checksSumit Bose2015-11-261-0/+1
| | | | | | | | | | | This patch enables the Online Certificate Status Protocol in NSS and adds an option to disable it if needed. To make further tuning of certificate verification more easy it is not an option on its own but an option to the new certificate_verification configuration option. Resolves https://fedorahosted.org/sssd/ticket/2812 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* SSSD: Add a new option diag_cmdJakub Hrozek2015-11-131-0/+1
| | | | | | | | | | | | | | | | | | | | This option is an optional one that is run when a sbus ping times out and before a SIGKILL signal is sent. It is undocumented by default. diag_cmd (string): A command that should be run for diagnostic purpose when an sbus timeout fails. The option value may contain %p which would be expanded for the process ID of the process that timed out Example: pstack %p This setting would print the stackstrace of the service whose ping timed out. Default: not set. Reviewed-by: Petr Cech <pcech@redhat.com>
* PAM: Make p11_child timeout configurableMichal Židek2015-09-231-0/+1
| | | | | | | | Ticket: https://fedorahosted.org/sssd/ticket/2773 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Pavel Reichl <preichl@redhat.com>
* DYNDNS: Add a new option dyndns_serverJakub Hrozek2015-08-141-0/+1
| | | | | | | | | | | Some environments use a different DNS server than identity server. For these environments, it would be useful to be able to override the DNS server used to perform DNS updates. This patch adds a new option dyndns_server that, if set, would be used to hardcode a DNS server address into the nsupdate message. Reviewed-by: Pavel Reichl <preichl@redhat.com>
* sudo: use "higher value wins" when ordering rulesPavel Březina2015-08-141-0/+1
| | | | | | | | | | | | This commit changes the default ordering logic (lower value wins) to a correct one that is used by native ldap support. It also adds a new option sudo_inverse_order to switch to the original SSSD (incorrect) behaviour if needed. Resolves: https://fedorahosted.org/sssd/ticket/2682 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* ssh: generate public keys from certificateSumit Bose2015-07-311-0/+1
| | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2711 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* LDAP: Add the wildcard_limit optionJakub Hrozek2015-07-153-0/+3
| | | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2553 Adds a new wildcard_limit option that is set by default to 1000 (one page). This option limits the number of entries that can by default be returned by a wildcard search. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* PAM: authenticate agains cachePavel Reichl2015-07-061-0/+1
| | | | | | | | | | | Enable authenticating users from cache even when SSSD is in online mode. Introduce new option `cached_auth_timeout`. Resolves: https://fedorahosted.org/sssd/ticket/1807 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* LDAP: add ldap_user_certificate optionSumit Bose2015-06-193-0/+3
| | | | | | Related to https://fedorahosted.org/sssd/ticket/2596 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* adding ldap_user_auth_type where missingSumit Bose2015-06-193-0/+3
| | | | Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* confdb: Add new option subdomain_inheritJakub Hrozek2015-06-051-0/+1
| | | | | | | | | | | | | | Adds a new option subdomain_inherit that would allow administrators to pick and choose which option to pass to subdomains. This option is required for: https://fedorahosted.org/sssd/ticket/2644 as a short-term fix. The proper solution is described in: https://fedorahosted.org/sssd/ticket/2599 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* krb5: new option krb5_map_userPavel Reichl2015-05-283-0/+3
| | | | | | | | | | New option `krb5_map_user` providing mapping of ID provider names to Kerberos principals. Resolves: https://fedorahosted.org/sssd/ticket/2509 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Add cache_credentials_minimal_first_factor_length config optionSumit Bose2015-05-081-0/+1
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* IPA: Remove the ipa_hbac_treat_deny_as optionJakub Hrozek2015-03-241-1/+0
| | | | | | | | | https://fedorahosted.org/sssd/ticket/2603 Since deny rules are no longer supported on the server, the client should no longer support them either. Remove the option. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* PAM: new option pam_account_expired_messagePavel Reichl2015-02-231-0/+1
| | | | | | | | | | This option sets string to be printed when authenticating using SSH keys and account is expired. Resolves: https://fedorahosted.org/sssd/ticket/2050 Reviewed-by: Sumit Bose <sbose@redhat.com>
* Add user_attributes to ifp section of API schemaRob Crittenden2015-02-131-0/+1
| | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2586 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* AD: add new option ad_sitePavel Reichl2015-01-261-0/+1
| | | | | | | | | This option overrides a result of the automatic site discovery. Resolves: https://fedorahosted.org/sssd/ticket/2486 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* AD/IPA: add krb5_confd_path configuration optionSumit Bose2014-11-252-0/+2
| | | | | | | | | With this new parameter the directory where Kerberos configuration snippets are created can be specified. Fixes https://fedorahosted.org/sssd/ticket/2473 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Revert "LDAP: Remove unused option ldap_group_uuid"Sumit Bose2014-11-063-0/+3
| | | | | | This reverts commit b5242c146cc0ca96e2b898a74fb060efda15bc77. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* Revert "LDAP: Remove unused option ldap_user_uuid"Sumit Bose2014-11-063-0/+3
| | | | | | This reverts commit dfb2960ab251f609466fa660449703835c97f99a. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* SSSD: Load a user to run a service as from configurationJakub Hrozek2014-10-221-0/+1
| | | | | | | | | | | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2370 Adds a option, user to run as, that is specified in the [sssd] section. When this option is specified, SSSD will run as this user and his private group. When these are not specified, SSSD will run as the configure-time user and group (usually root). Currently all services and providers are started as root. There is a temporary svc_supported_as_nonroot() function that returns true for a service if that service runs and was tested as nonroot and false otherwise. Currently this function always returns false, but will be amended in future patches. Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* IPA: add view support and get view nameSumit Bose2014-10-161-0/+7
| | | | | | Related to https://fedorahosted.org/sssd/ticket/2375 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* sssd.api.conf: Declare case_sensitive as stringMichal Zidek2014-10-011-1/+1
| | | | | | | Fixes: https://fedorahosted.org/sssd/ticket/2452 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* PAM: new options pam_trusted_users & pam_public_domainsPavel Reichl2014-09-291-0/+2
| | | | | | | | | | | | | pam_public_domains option is a list of numerical UIDs or user names that are trusted. pam_public_domains option is a list of domains accessible even for untrusted users. Based on: https://fedorahosted.org/sssd/wiki/DesignDocs/RestrictDomainsInPAM Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* AD-GPO: config changes for gpo_map_* optionsYassir Elley2014-09-081-0/+8
| | | | | Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* SSS_CACHE: Allow sss_cache tool to flush SSH hosts cacheWilliam B2014-09-051-0/+1
| | | | | | | | | | Resolves: https://fedorahosted.org/sssd/ticket/2358 Signed-off-by: Jan Cholasta <jcholast@redhat.com> Reviewed-by: Jan Cholasta <jcholast@redhat.com> Reviewed-by: Pavel Reichl <preichl@redhat.com>
* SDAP: new option - DN to ppolicy on LDAPPavel Reichl2014-08-273-0/+3
| | | | | | | | | | To check value of pwdLockout attribute on LDAP server, DN of ppolicy must be set. Resolves: https://fedorahosted.org/sssd/ticket/2364 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* Only replace space with the specified substitutionJakub Hrozek2014-08-131-1/+1
| | | | | | | | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2397 - make sss_replace_whitespaces only replace space (' ') not any whitespace - make sss_replace_whitespaces only replace a single char, not the whole string - rename CONFDB_NSS_OVERRIDE_DEFAULT_WHITESPACE to CONFDB_NSS_OVERRIDE_DEFAULT_SPACE - rename the override_default_whitespace option to override_space - rename sss_replace_whitespaces() to sss_replace_space() - rename sss_reverse_replace_whitespaces() to sss_reverse_replace_space() - rename nctx->override_default_wsp_str to nctx->override_space - make the return value of sss_replace_space non-const to avoid freeing the result without compilation warnings Reviewed-by: Pavel Březina <pbrezina@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* AD-GPO: add ad_gpo_cache_timeout optionYassir Elley2014-07-311-0/+1
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* NSS: Replace spaces with specified string in names.Lukas Slebodnik2014-07-281-0/+1
| | | | | | | | | | | | This patch add possibility to replace whitespace in user and group names with a specified string. With string "-", sssd will return the same result as winbind enabled option "winbind normalize names" Resolves: https://fedorahosted.org/sssd/ticket/1854 Reviewed-by: Pavel Reichl <preichl@redhat.com> Reviewed-by: Michal Židek <mzidek@redhat.com>
* LDAP: Remove unused option ldap_user_uuidLukas Slebodnik2014-07-253-3/+0
| | | | | | | | | | | | | | | | | | | | | | There is problem with OpenLDAP server and dereferencing of attributes that is not in the schema of the server? sh-4.2$ ldapsearch -x -LLL -h openldap.server.test -b 'dc=example,dc=com' \ -E 'deref=member:uid,dummy_attr' cn=ref_grp Protocol error (2) Additional information: Dereference control: attribute decoding error sh-4.2$ echo $? 2 The attribute nsUniqueID is a 389-only, non-standard attribute. It is an operational attribute that is not in the rfc2307bis nor inetOrgPerson nor posixAccount schema. It was a default value of option ldap_user_uuid, but it was not use anywhere. Resolves: https://fedorahosted.org/sssd/ticket/2383 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* LDAP: Remove unused option ldap_group_uuidLukas Slebodnik2014-07-253-3/+0
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
generated by cgit (git 2.34.1) at 2024-06-06 11:50:39 +0000