blob: 85a15be3493cf4b8c5a612b0f66ae4c86d39b1ab (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
|
[rule/allowed_sections]
validator = ini_allowed_sections
section = sssd
section = nss
section = pam
section = sudo
section = autofs
section = ssh
section = pac
section = ifp
section_re = ^domain/.*$
[rule/allowed_sssd_options]
validator = ini_allowed_options
section_re = ^sssd$
option = debug
option = debug_level
option = debug_timestamps
option = debug_microseconds
option = debug_to_files
option = command
option = reconnection_retries
option = fd_limit
option = client_idle_timeout
option = force_timeout
option = description
option = diag_cmd
# Monitor service
option = services
option = domains
option = timeout
option = sbus_timeout
option = re_expression
option = full_name_format
option = krb5_rcache_dir
option = user
option = default_domain_suffix
option = certificate_verification
option = override_space
[rule/allowed_nss_options]
validator = ini_allowed_options
section_re = ^nss$
option = debug
option = debug_level
option = debug_timestamps
option = debug_microseconds
option = debug_to_files
option = command
option = reconnection_retries
option = fd_limit
option = client_idle_timeout
option = force_timeout
option = description
option = diag_cmd
# Name service
option = user_attributes
option = enum_cache_timeout
option = entry_cache_nowait_percentage
option = entry_negative_timeout
option = local_negative_timeout
option = filter_users
option = filter_groups
option = filter_users_in_groups
option = pwfield
option = override_homedir
option = fallback_homedir
option = homedir_substring
option = override_shell
option = allowed_shells
option = vetoed_shells
option = shell_fallback
option = default_shell
option = get_domains_timeout
option = memcache_timeout
[rule/allowed_pam_options]
validator = ini_allowed_options
section_re = ^pam$
option = debug
option = debug_level
option = debug_timestamps
option = debug_microseconds
option = debug_to_files
option = command
option = reconnection_retries
option = fd_limit
option = client_idle_timeout
option = force_timeout
option = description
option = diag_cmd
# Authentication service
option = offline_credentials_expiration
option = offline_failed_login_attempts
option = offline_failed_login_delay
option = pam_verbosity
option = pam_id_timeout
option = pam_pwd_expiration_warning
option = get_domains_timeout
option = pam_trusted_users
option = pam_public_domains
option = pam_account_expired_message
option = pam_account_locked_message
option = pam_cert_auth
option = pam_cert_db_path
option = p11_child_timeout
[rule/allowed_sudo_options]
validator = ini_allowed_options
section_re = ^sudo$
option = debug
option = debug_level
option = debug_timestamps
option = debug_microseconds
option = debug_to_files
option = command
option = reconnection_retries
option = fd_limit
option = client_idle_timeout
option = force_timeout
option = description
option = diag_cmd
# sudo service
option = sudo_timed
option = sudo_inverse_order
[rule/allowed_autofs_options]
validator = ini_allowed_options
section_re = ^autofs$
option = debug
option = debug_level
option = debug_timestamps
option = debug_microseconds
option = debug_to_files
option = command
option = reconnection_retries
option = fd_limit
option = client_idle_timeout
option = force_timeout
option = description
option = diag_cmd
# autofs service
option = autofs_negative_timeout
[rule/allowed_ssh_options]
validator = ini_allowed_options
section_re = ^ssh$
option = debug
option = debug_level
option = debug_timestamps
option = debug_microseconds
option = debug_to_files
option = command
option = reconnection_retries
option = fd_limit
option = client_idle_timeout
option = force_timeout
option = description
option = diag_cmd
# ssh service
option = ssh_hash_known_hosts
option = ssh_known_hosts_timeout
option = ca_db
[rule/allowed_pac_options]
validator = ini_allowed_options
section_re = ^pac$
option = debug
option = debug_level
option = debug_timestamps
option = debug_microseconds
option = debug_to_files
option = command
option = reconnection_retries
option = fd_limit
option = client_idle_timeout
option = force_timeout
option = description
option = diag_cmd
# PAC responder
option = allowed_uids
option = pac_lifetime
[rule/allowed_ifp_options]
validator = ini_allowed_options
section_re = ^ifp$
option = debug
option = debug_level
option = debug_timestamps
option = debug_microseconds
option = debug_to_files
option = command
option = reconnection_retries
option = fd_limit
option = client_idle_timeout
option = force_timeout
option = description
option = diag_cmd
# InfoPipe responder
option = allowed_uids
option = user_attributes
[rule/allowed_domain_options]
validator = ini_allowed_options
section_re = ^domain/.*$
option = debug
option = debug_level
option = debug_timestamps
option = debug_microseconds
option = debug_to_files
option = command
option = reconnection_retries
option = fd_limit
option = client_idle_timeout
option = force_timeout
option = description
option = diag_cmd
#Available provider types
option = id_provider
option = auth_provider
option = access_provider
option = chpass_provider
option = sudo_provider
option = autofs_provider
option = session_provider
option = hostid_provider
option = subdomains_provider
# Options available to all domains
option = min_id
option = max_id
option = timeout
option = try_inotify
option = enumerate
option = subdomain_enumerate
option = force_timeout
option = offline_timeout
option = cache_credentials
option = cache_credentials_minimal_first_factor_length
option = store_legacy_passwords
option = use_fully_qualified_names
option = ignore_group_members
option = entry_cache_timeout
option = lookup_family_order
option = account_cache_expiration
option = pwd_expiration_warning
option = filter_users
option = filter_groups
option = dns_resolver_timeout
option = dns_discovery_domain
option = override_gid
option = case_sensitive
option = override_homedir
option = fallback_homedir
option = homedir_substring
option = override_shell
option = default_shell
option = description
option = realmd_tags
option = subdomain_refresh_interval
option = subdomain_inherit
option = cached_auth_timeout
option = wildcard_limit
#Entry cache timeouts
option = entry_cache_user_timeout
option = entry_cache_group_timeout
option = entry_cache_netgroup_timeout
option = entry_cache_service_timeout
option = entry_cache_autofs_timeout
option = entry_cache_sudo_timeout
option = entry_cache_ssh_host_timeout
option = refresh_expired_interval
# Dynamic DNS updates
option = dyndns_update
option = dyndns_ttl
option = dyndns_iface
option = dyndns_refresh_interval
option = dyndns_update_ptr
option = dyndns_force_tcp
option = dyndns_auth
option = dyndns_server
# local provider specific options
option = create_homedir
option = remove_homedir
option = homedir_umask
option = skel_dir
option = mail_dir
option = userdel_cmd
option = base_directory
# proxy provider specific options
option = proxy_lib_name
option = proxy_fast_alias
option = proxy_pam_target
# simple access provider specific options
option = simple_allow_users
option = simple_deny_users
option = simple_allow_groups
option = simple_deny_groups
# AD provider specific options
option = ad_access_filter
option = ad_backup_server
option = ad_domain
option = ad_enable_dns_sites
option = ad_enable_gc
option = ad_gpo_access_control
option = ad_gpo_cache_timeout
option = ad_gpo_default_right
option = ad_gpo_map_batch
option = ad_gpo_map_deny
option = ad_gpo_map_interactive
option = ad_gpo_map_network
option = ad_gpo_map_permit
option = ad_gpo_map_remote_interactive
option = ad_gpo_map_service
option = ad_hostname
option = ad_machine_account_password_renewal_opts
option = ad_maximum_machine_account_password_age
option = ad_server
option = ad_site
# IPA provider specific options
option = ipa_anchor_uuid
option = ipa_automount_location
option = ipa_backup_server
option = ipa_domain
option = ipa_dyndns_iface
option = ipa_dyndns_ttl
option = ipa_dyndns_update
option = ipa_enable_dns_sites
option = ipa_group_override_object_class
option = ipa_hbac_refresh
option = ipa_hbac_search_base
option = ipa_hbac_support_srchost
option = ipa_host_fqdn
option = ipa_hostgroup_memberof
option = ipa_hostgroup_member
option = ipa_hostgroup_name
option = ipa_hostgroup_objectclass
option = ipa_hostgroup_uuid
option = ipa_host_member_of
option = ipa_host_name
option = ipa_hostname
option = ipa_host_object_class
option = ipa_host_search_base
option = ipa_host_serverhostname
option = ipa_host_ssh_public_key
option = ipa_host_uuid
option = ipa_master_domain_search_base
option = ipa_netgroup_domain
option = ipa_netgroup_member_ext_host
option = ipa_netgroup_member_host
option = ipa_netgroup_member_of
option = ipa_netgroup_member
option = ipa_netgroup_member_user
option = ipa_netgroup_name
option = ipa_netgroup_object_class
option = ipa_netgroup_uuid
option = ipa_overide_object_class
option = ipa_ranges_search_base
option = ipa_selinux_refresh
option = ipa_selinux_usermap_enabled
option = ipa_selinux_usermap_host_category
option = ipa_selinux_usermap_member_host
option = ipa_selinux_usermap_member_user
option = ipa_selinux_usermap_name
option = ipa_selinux_usermap_object_class
option = ipa_selinux_usermap_see_also
option = ipa_selinux_usermap_selinux_user
option = ipa_selinux_usermap_user_category
option = ipa_selinux_usermap_uuid
option = ipa_server_mode
option = ipa_server
option = ipa_subdomains_search_base
option = ipa_sudocmdgroup_entry_usn
option = ipa_sudocmdgroup_member
option = ipa_sudocmdgroup_name
option = ipa_sudocmdgroup_object_class
option = ipa_sudocmdgroup_uuid
option = ipa_sudocmd_memberof
option = ipa_sudocmd_object_class
option = ipa_sudocmd_sudoCmd
option = ipa_sudocmd_uuid
option = ipa_sudorule_allowcmd
option = ipa_sudorule_cmdcategory
option = ipa_sudorule_denycmd
option = ipa_sudorule_enabled_flag
option = ipa_sudorule_entry_usn
option = ipa_sudorule_externaluser
option = ipa_sudorule_hostcategory
option = ipa_sudorule_host
option = ipa_sudorule_name
option = ipa_sudorule_notafter
option = ipa_sudorule_notbefore
option = ipa_sudorule_object_class
option = ipa_sudorule_option
option = ipa_sudorule_runasextgroup
option = ipa_sudorule_runasextusergroup
option = ipa_sudorule_runasextuser
option = ipa_sudorule_runasgroupcategory
option = ipa_sudorule_runasgroup
option = ipa_sudorule_runasusercategory
option = ipa_sudorule_sudoorder
option = ipa_sudorule_usercategory
option = ipa_sudorule_user
option = ipa_sudorule_uuid
option = ipa_user_override_object_class
option = ipa_view_class
option = ipa_view_name
option = ipa_views_search_base
# krb5 provider specific options
option = krb5_auth_timeout
option = krb5_backup_kpasswd
option = krb5_backup_server
option = krb5_canonicalize
option = krb5_ccachedir
option = krb5_ccname_template
option = krb5_confd_path
option = krb5_fast_principal
option = krb5_kdcip
option = krb5_keytab
option = krb5_kpasswd
option = krb5_lifetime
option = krb5_map_user
option = krb5_realm
option = krb5_realm
option = krb5_renewable_lifetime
option = krb5_renew_interval
option = krb5_server
option = krb5_store_password_if_offline
option = krb5_use_enterprise_principal
option = krb5_use_fast
option = krb5_use_kdcinfo
option = krb5_validate
# ldap provider specific options
option = ldap_access_filter
option = ldap_access_order
option = ldap_account_expire_policy
option = ldap_autofs_entry_key
option = ldap_autofs_entry_object_class
option = ldap_autofs_entry_value
option = ldap_autofs_map_master_name
option = ldap_autofs_map_name
option = ldap_autofs_map_object_class
option = ldap_autofs_search_base
option = ldap_backup_uri
option = ldap_chpass_backup_uri
option = ldap_chpass_dns_service_name
option = ldap_chpass_update_last_change
option = ldap_chpass_uri
option = ldap_connection_expire_timeout
option = ldap_default_authtok
option = ldap_default_authtok_type
option = ldap_default_bind_dn
option = ldap_deref
option = ldap_deref_threshold
option = ldap_disable_paging
option = ldap_disable_range_retrieval
option = ldap_dns_service_name
option = ldap_entry_usn
option = ldap_enumeration_refresh_timeout
option = ldap_enumeration_search_timeout
option = ldap_force_upper_case_realm
option = ldap_group_entry_usn
option = ldap_group_external_member
option = ldap_group_gid_number
option = ldap_group_member
option = ldap_group_modify_timestamp
option = ldap_group_name
option = ldap_group_nesting_level
option = ldap_group_object_class
option = ldap_group_objectsid
option = ldap_group_search_base
option = ldap_group_search_filter
option = ldap_group_search_scope
option = ldap_groups_use_matching_rule_in_chain
option = ldap_group_type
option = ldap_group_uuid
option = ldap_idmap_autorid_compat
option = ldap_idmap_default_domain_sid
option = ldap_idmap_default_domain
option = ldap_idmap_helper_table_size
option = ldap_id_mapping
option = ldap_idmap_range_max
option = ldap_idmap_range_min
option = ldap_idmap_range_size
option = ldap_id_use_start_tls
option = ldap_initgroups_use_matching_rule_in_chain
option = ldap_krb5_init_creds
option = ldap_krb5_keytab
option = ldap_krb5_ticket_lifetime
option = ldap_max_id
option = ldap_min_id
option = ldap_netgroup_member
option = ldap_netgroup_modify_timestamp
option = ldap_netgroup_name
option = ldap_netgroup_object_class
option = ldap_netgroup_search_base
option = ldap_netgroup_triple
option = ldap_network_timeout
option = ldap_ns_account_lock
option = ldap_offline_timeout
option = ldap_opt_timeout
option = ldap_page_size
option = ldap_purge_cache_timeout
option = ldap_pwd_attribute
option = ldap_pwdlockout_dn
option = ldap_pwd_policy
option = ldap_referrals
option = ldap_rfc2307_fallback_to_local_users
option = ldap_rootdse_last_usn
option = ldap_sasl_authid
option = ldap_sasl_canonicalize
option = ldap_sasl_mech
option = ldap_sasl_minssf
option = ldap_schema
option = ldap_search_base
option = ldap_search_timeout
option = ldap_service_entry_usn
option = ldap_service_name
option = ldap_service_object_class
option = ldap_service_port
option = ldap_service_proto
option = ldap_service_search_base
option = ldap_sudo_full_refresh_interval
option = ldap_sudo_hostnames
option = ldap_sudo_include_netgroups
option = ldap_sudo_include_regexp
option = ldap_sudo_ip
option = ldap_sudorule_command
option = ldap_sudorule_host
option = ldap_sudorule_name
option = ldap_sudorule_notafter
option = ldap_sudorule_notbefore
option = ldap_sudorule_object_class
option = ldap_sudorule_option
option = ldap_sudorule_order
option = ldap_sudorule_runasgroup
option = ldap_sudorule_runas
option = ldap_sudorule_runasuser
option = ldap_sudorule_user
option = ldap_sudo_search_base
option = ldap_sudo_smart_refresh_interval
option = ldap_sudo_use_host_filter
option = ldap_tls_cacertdir
option = ldap_tls_cacert
option = ldap_tls_cert
option = ldap_tls_cipher_suite
option = ldap_tls_key
option = ldap_tls_reqcert
option = ldap_uri
option = ldap_user_ad_account_expires
option = ldap_user_ad_user_account_control
option = ldap_user_authorized_host
option = ldap_user_authorized_service
option = ldap_user_auth_type
option = ldap_user_certificate
option = ldap_user_entry_usn
option = ldap_user_extra_attrs
option = ldap_user_fullname
option = ldap_user_gecos
option = ldap_user_gid_number
option = ldap_user_home_directory
option = ldap_user_krb_last_pwd_change
option = ldap_user_krb_password_expiration
option = ldap_user_member_of
option = ldap_user_modify_timestamp
option = ldap_user_name
option = ldap_user_nds_login_allowed_time_map
option = ldap_user_nds_login_disabled
option = ldap_user_nds_login_expiration_time
option = ldap_user_object_class
option = ldap_user_objectsid
option = ldap_user_primary_group
option = ldap_user_principal
option = ldap_user_search_base
option = ldap_user_search_filter
option = ldap_user_search_scope
option = ldap_user_shadow_expire
option = ldap_user_shadow_flag
option = ldap_user_shadow_inactive
option = ldap_user_shadow_last_change
option = ldap_user_shadow_max
option = ldap_user_shadow_min
option = ldap_user_shadow_warning
option = ldap_user_shell
option = ldap_user_ssh_public_key
option = ldap_user_uid_number
option = ldap_user_uuid
option = ldap_use_tokengroups
|
