From f2b40ec8a4158fec75873828e4980965abbe7f66 Mon Sep 17 00:00:00 2001 From: Yassir Elley Date: Fri, 5 Sep 2014 18:45:12 -0400 Subject: AD-GPO: config changes for gpo_map_* options MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Sumit Bose Reviewed-by: Lukáš Slebodník --- src/man/sssd-ad.5.xml | 329 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 329 insertions(+) (limited to 'src/man') diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml index 8d90bc13..f63a496d 100644 --- a/src/man/sssd-ad.5.xml +++ b/src/man/sssd-ad.5.xml @@ -332,6 +332,335 @@ FOREST:EXAMPLE.COM:(memberOf=cn=admins,ou=groups,dc=example,dc=com) + + ad_gpo_map_interactive (string) + + + A comma-separated list of PAM service names for + which GPO-based access control is evaluated based on + the InteractiveLogonRight and + DenyInteractiveLogonRight policy settings. + + + It is possible to add another PAM service name + to the default set by using +service_name + or to explicitly remove a PAM service name from + the default set by using -service_name. + For example, in order to replace a default PAM service + name for this logon right (e.g. login) + with a custom pam service name (e.g. my_pam_service), + you would use the following configuration: + + ad_gpo_map_interactive = +my_pam_service, -login + + + + Default: the default set of PAM service names includes: + + + + login + + + + + su + + + + + su-l + + + + + gdm-fingerprint + + + + + gdm-password + + + + + gdm-smartcard + + + + + kdm + + + + + + + + + ad_gpo_map_remote_interactive (string) + + + A comma-separated list of PAM service names for + which GPO-based access control is evaluated based on + the RemoteInteractiveLogonRight and + DenyRemoteInteractiveLogonRight policy settings. + + + It is possible to add another PAM service name + to the default set by using +service_name + or to explicitly remove a PAM service name from + the default set by using -service_name. + For example, in order to replace a default PAM service + name for this logon right (e.g. sshd) + with a custom pam service name (e.g. my_pam_service), + you would use the following configuration: + + ad_gpo_map_remote_interactive = +my_pam_service, -sshd + + + + Default: the default set of PAM service names includes: + + + + sshd + + + + + + + + + ad_gpo_map_network (string) + + + A comma-separated list of PAM service names for + which GPO-based access control is evaluated based on + the NetworkLogonRight and DenyNetworkLogonRight + policy settings. + + + It is possible to add another PAM service name + to the default set by using +service_name + or to explicitly remove a PAM service name from + the default set by using -service_name. + For example, in order to replace a default PAM service + name for this logon right (e.g. ftp) + with a custom pam service name (e.g. my_pam_service), + you would use the following configuration: + + ad_gpo_map_network = +my_pam_service, -ftp + + + + Default: the default set of PAM service names includes: + + + + ftp + + + + + samba + + + + + + + + + ad_gpo_map_batch (string) + + + A comma-separated list of PAM service names for + which GPO-based access control is evaluated based on + the BatchLogonRight and DenyBatchLogonRight + policy settings. + + + It is possible to add another PAM service name + to the default set by using +service_name + or to explicitly remove a PAM service name from + the default set by using -service_name. + For example, in order to replace a default PAM service + name for this logon right (e.g. crond) + with a custom pam service name (e.g. my_pam_service), + you would use the following configuration: + + ad_gpo_map_batch = +my_pam_service, -crond + + + + Default: the default set of PAM service names includes: + + + + crond + + + + + + + + + ad_gpo_map_service (string) + + + A comma-separated list of PAM service names for + which GPO-based access control is evaluated based on + the ServiceLogonRight and DenyServiceLogonRight + policy settings. + + + It is possible to add a PAM service name to the + default set by using +service_name. + Since the default set is empty, it is not possible + to remove a PAM service name from the default set. + For example, in order to add a custom pam service + name (e.g. my_pam_service), you + would use the following configuration: + + ad_gpo_map_service = +my_pam_service + + + + Default: not set + + + + + + ad_gpo_map_permit (string) + + + A comma-separated list of PAM service names for + which GPO-based access is always granted, regardless + of any GPO Logon Rights. + + + It is possible to add another PAM service name + to the default set by using +service_name + or to explicitly remove a PAM service name from + the default set by using -service_name. + For example, in order to replace a default PAM service + name for unconditionally permitted access (e.g. sudo) + with a custom pam service name (e.g. my_pam_service), + you would use the following configuration: + + ad_gpo_map_permit = +my_pam_service, -sudo + + + + Default: the default set of PAM service names includes: + + + + sudo + + + + + sudo-i + + + + + + + + + ad_gpo_map_deny (string) + + + A comma-separated list of PAM service names for + which GPO-based access is always denied, regardless + of any GPO Logon Rights. + + + It is possible to add a PAM service name to the + default set by using +service_name. + Since the default set is empty, it is not possible + to remove a PAM service name from the default set. + For example, in order to add a custom pam service + name (e.g. my_pam_service), you + would use the following configuration: + + ad_gpo_map_deny = +my_pam_service + + + + Default: not set + + + + + + ad_gpo_default_right (string) + + + This option defines how access control is evaluated + for PAM service names that are not explicitly listed + in one of the ad_gpo_map_* options. This option can be + set in two different manners. First, this option can + be set to use a default logon right. For example, if + this option is set to 'interactive', it means that + unmapped PAM service names will be processed based on + the InteractiveLogonRight and DenyInteractiveLogonRight + policy settings. Alternatively, this option can be set + to either always permit or always deny access for + unmapped PAM service names. + + + Supported values for this option include: + + + + interactive + + + + + remote_interactive + + + + + network + + + + + batch + + + + + service + + + + + permit + + + + + deny + + + + + + Default: deny + + + + dyndns_update (boolean) -- cgit